Michael Shadle wrote: > On Thu, May 14, 2009 at 3:03 PM, Nathan Rixham <nrix...@gmail.com> wrote: > >> bc? all the reasoning in the world won't justify it to 1 million businesses >> running php 4 code which is reliant on $_REQUEST behind the scenes. >> >> although it would generate a tonne of freelance work :p > > that code has to change for 5.3 or 6.0 anyway. > > now is the time to yank out some of the legacy crap. we don't want PHP > to be like windows, do we?
The more stuff like this we remove, the harder it becomes for people to quickly move to newer, faster and more secure versions of PHP. That causes way more frustration for everyone than a few "ugly" legacy features. If there is a decent technical reason, performance or security, then we need to take a hard look at it. In this case, the thing we should be looking at isn't whether we should remove $_REQUEST but whether we should remove cookie data from it. Many configurations already do that, including all of my own, and there is a strong valid security reason for not including cookies in $_REQUEST. Most people use $_REQUEST to mean GET or POST, not realizing that it could also contain cookies and as such bad guys could potentially do some cookie injection tricks and break naive applications. -Rasmus -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php