On 8/26/07, Richard Lynch <[EMAIL PROTECTED]> wrote:

> This is *SO* not correct at all!
> $_REQUEST[] is merely array_merge($_GET, $_POST, $_COOKIE);

Yes and it mimics being lazy - allowing overriding values from $_POST
vs. $_GET vs. $_COOKIE depending on what the programmer wants to

It encourages poor practices. There is no reason to not name the
proper source of data - i.e. "i want it from POST not GET"

> It is *NOT* in any way, shape, or form, polluting the global namespace
> of all your variables, which is what register_globals is.

That is why I said it was *one* reason register_globals was disabled -
global namespace was probably the biggest reason, but also variable
overriding and sloppyness allowing for exploits was probably up there

> There could easily be a script written which is expected to respond to
> GET or POST data in the same way, particularly a simplistic
> web-service that doesn't really care if the web "Designers" prefer to
> have buttons or links or CSS links that look like buttons or CSS
> buttons that look like links or rabid squirrels that send the GET
> and/or POST data to make the HTTP request.

Yes, there could. But part of that would rely on a *very* motivated
end-user (or we'll call them "hacker") - they would probably find a
way in or do what they want either way.

There's no reason to make it easier just because "well they can hack
something up to do that anyway" - that's a Microsoft approach to
security. Whatever happened to people at least trying to discourage
abuse or issues.

I have never used $_REQUEST and my applications don't seem to have any
issues. Obviously someone could have tried to switch POST/GET on me,
but I still ensure proper bounds checking/sanity checking/type
checking/etc. But I would not allow someone to issue a GET variable to
override a cookie value without having to make the extra effort (and
furthermore understand how the variables work on the server side to
make it actually work how they want.)

> Use $_POST when you expect the data to always be in POST data.


> Use $_GET when you expect the data to alwasy be in GET data.


> If you actually want to accept HTTP requests of either kind for
> flexibility to an external user, by all means use REQUEST.

In my opinion a properly coded web application shouldn't be lazy and
should know the source of data. So I consider this incorrect.

PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to