On Wed, September 14, 2005 4:03 pm, Ben wrote: >>>using $_REQUEST you'll be oblivious. You ought to know where your >>>variable values are coming from, $_REQUEST hides this.
I think I must object to saying "$_REQUEST" hides this. $_REQUEST tells you it came from POST or GET (or COOKIE) Anyway, I have several applications where both GET and POST are supported, and behave the same, using $_REQUEST. I really don't care if somebody wants to web-scrape with GET instead of POST, or even if they manage to fargle their Cookies to get the data they need. GET, POST, and COOKIE are all equally untrustworthy in my eyes. Lumping them into one big mess to deal with, and responding to them "the same" makes sense to me from a Security standpoint. And certainly providing an HTTP response to both GET/POST, not caring which way the requestor asked for it, doesn't matter to me. I don't think it "reduces" security to not care about whether the request is GET or POST -- Any moron can fake up either GET or POST in minutes. No difference, in the Big Picture. -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
