> >>accept_parameters($user_string); // or something similar
> register_globals off.
> $user_string=$HTTP_POST_VARS["user_string"];
> This accomplishes the same thing as your example, and doesn't 
> introduce any new syntax... I don't really see the advantage of the 
> "accept_parameters" idea.

Well, the programmer doesn't need to know if it was introduced by POST or
GET or whatever, and will be made to think about what parameters he/she is
accepting... thereby making him aware of the security issues.
Plus, it looks better :-)
(yeah I know, subjective...)

Cheerio, Marc.

PHP Development Mailing List <http://www.php.net/>
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Reply via email to