Re: [PHP] $_POST vs $_REQUEST

2010-02-25 Thread Jochem Maas
Op 2/24/10 11:18 AM, Ashley Sheridan schreef: On Wed, 2010-02-24 at 07:55 +, Jochem Maas wrote: Op 2/22/10 10:49 PM, John Black schreef: On 02/22/2010 11:42 PM, Michael Shadle wrote: The difference here is you can at least have some control over the data and expect it in a certain

Re: [PHP] $_POST vs $_REQUEST

2010-02-24 Thread Rene Veerman
sry i gotta disagree. a function that queries $_POST/$_GET first and then $_COOKIE seems much wiser to me. it consolidates all logic in the script, and making that logic obvious by syntax, rather than relying on functionality being determined by php.ini, which could well cause a new developer to

Re: [PHP] $_POST vs $_REQUEST

2010-02-23 Thread Richard
Hi, Well people better than me (how is that possible?!) have said that $_REQUEST has the potential to open your app up to security vulnerabilities, and that it should be avoided because of that. Here's a post from Stephan Esser about it on the PHP-Internals list:

Re: [PHP] $_POST vs $_REQUEST

2010-02-23 Thread Ashley Sheridan
On Tue, 2010-02-23 at 09:19 +, Richard wrote: Hi, Well people better than me (how is that possible?!) have said that $_REQUEST has the potential to open your app up to security vulnerabilities, and that it should be avoided because of that. Here's a post from Stephan Esser about it on

RE: [PHP] $_POST vs $_REQUEST

2010-02-23 Thread Bob McConnell
From: Rene Veerman [mailto:rene7...@gmail.com] On Mon, Feb 22, 2010 at 9:39 PM, Slack-Moehrle Single quotes is best, correct to prevent sql injection? sql injection fixing is an evolving art, but you can start by pushing all variables that can be changed by end-users going into a database

Re: [PHP] $_POST vs $_REQUEST

2010-02-23 Thread tedd
At 11:07 PM +0100 2/22/10, John Black wrote: On 02/22/2010 10:37 PM, Michael Shadle wrote: On Mon, Feb 22, 2010 at 1:30 PM, David Murphyda...@icewatermedia.com wrote: Richard, The use of $_REQUEST it no more a security hole than $_GET or $_REQUEST, they should ALL be treats as bad data until

Re: [PHP] $_POST vs $_REQUEST

2010-02-23 Thread Jochem Maas
Op 2/23/10 10:27 AM, Ashley Sheridan schreef: On Tue, 2010-02-23 at 09:19 +, Richard wrote: Hi, Well people better than me (how is that possible?!) have said that $_REQUEST has the potential to open your app up to security vulnerabilities, and that it should be avoided because of that.

Re: [PHP] $_POST vs $_REQUEST

2010-02-22 Thread Richard
Hi, I have Forms that I submit for processing. I have seen examples of people using either $_POST or $_REQUEST. When would I choose one over the other? It's a wise choice to go with $_POST, unless your form is a GET form, in which case use $_GET. $_REQUEST has the potential to open your

Re: [PHP] $_POST vs $_REQUEST

2010-02-22 Thread shiplu
On Tue, Feb 23, 2010 at 2:39 AM, Slack-Moehrle mailingli...@mailnewsrss.com wrote: Hi All, I have Forms that I submit for processing. I have seen examples of people using either $_POST or $_REQUEST. When would I choose one over the other? Also, I see examples of these being used with and

Re: [PHP] $_POST vs $_REQUEST

2010-02-22 Thread Joseph Thayne
Richard wrote: It's a wise choice to go with $_POST, unless your form is a GET form, in which case use $_GET. $_REQUEST has the potential to open your script(s) up to security issues. I am not sure what the security issues are you are referring to as the $_REQUEST superglobal contains

Re: [PHP] $_POST vs $_REQUEST

2010-02-22 Thread Rene Veerman
On Mon, Feb 22, 2010 at 9:39 PM, Slack-Moehrle mailingli...@mailnewsrss.com wrote: Hi All, I have Forms that I submit for processing. I have seen examples of people using either $_POST or $_REQUEST. When would I choose one over the other? I like to be specific and go for $_POST, but some

Re: [PHP] $_POST vs $_REQUEST

2010-02-22 Thread John Black
On 02/22/2010 09:39 PM, Slack-Moehrle wrote: Hi All, I have Forms that I submit for processing. I have seen examples of people using either $_POST or $_REQUEST. When would I choose one over the other? When you don't care how you get the data use $_REQUEST. $_REQUEST will contain

Re: [PHP] $_POST vs $_REQUEST

2010-02-22 Thread Rene Veerman
i'd expect without quotes to query a define('j_orderValue','??').. oh, and that, if not defined, defaults to the string 'j_orderValue'. So while your $_POST[] with or without quotes will do the same, use single-quotes anyway because it's the right thing to do ;) -- PHP General Mailing List

Re: [PHP] $_POST vs $_REQUEST

2010-02-22 Thread Richard
Hi, I am not sure what the security issues are you are referring to as the $_REQUEST superglobal contains both $_GET and $_POST values.  Could you expound on that?  Thanks. Not really, do a search. -- Richard Heyes HTML5 canvas graphing: RGraph - http://www.rgraph.net (updated 20th

Re: [PHP] $_POST vs $_REQUEST

2010-02-22 Thread Kim Madsen
Hi Slack-Moehrle Slack-Moehrle wrote on 22/02/2010 21:39: Hi All, I have Forms that I submit for processing. I have seen examples of people using either $_POST or $_REQUEST. When would I choose one over the other? $_REQUEST['test'] is true on both $_GET['test'] and $_POST['test'] I use it

Re: [PHP] $_POST vs $_REQUEST

2010-02-22 Thread Dotan Cohen
I have Forms that I submit for processing. I have seen examples of people using either $_POST or $_REQUEST. Look at this example: form action=page.php?foo=bar input type=hidden name=foo value=pub /form Now what do you thing $_REQUEST will return? You had better not even think. Just use

Re: [PHP] $_POST vs $_REQUEST

2010-02-22 Thread Michael Shadle
On Mon, Feb 22, 2010 at 12:55 PM, Joseph Thayne webad...@thaynefam.org wrote: I am not sure what the security issues are you are referring to as the $_REQUEST superglobal contains both $_GET and $_POST values.  Could you expound on that?  Thanks. $_REQUEST opens you up to POST/GET values

RE: [PHP] $_POST vs $_REQUEST

2010-02-22 Thread David Murphy
such as $_REQUEST. David Murphy -Original Message- From: richard.he...@gmail.com [mailto:richard.he...@gmail.com] On Behalf Of Richard Sent: Monday, February 22, 2010 3:03 PM To: Joseph Thayne Cc: Slack-Moehrle; php-general Subject: Re: [PHP] $_POST vs $_REQUEST Hi, I am not sure what

Re: [PHP] $_POST vs $_REQUEST

2010-02-22 Thread Michael Shadle
On Mon, Feb 22, 2010 at 1:30 PM, David Murphy da...@icewatermedia.com wrote: Richard, The use of $_REQUEST it no more a security hole than $_GET or $_REQUEST, they should ALL be treats as bad data until normalized and sanitized.  The claim that it opens a security hole  is  just false,

Re: [PHP] $_POST vs $_REQUEST

2010-02-22 Thread Slack-Moehrle
John, Then if you use a MySQL database you would escape the string like this $tmp = mysql_real_escape_string($_REQUEST['yyy']); mysql_real_escape_string() protect from SQL injection by escaping your string according to what your charset requires. Good point, I should be doing that. But only

Re: [PHP] $_POST vs $_REQUEST

2010-02-22 Thread John Black
On 02/22/2010 10:37 PM, Michael Shadle wrote: On Mon, Feb 22, 2010 at 1:30 PM, David Murphyda...@icewatermedia.com wrote: Richard, The use of $_REQUEST it no more a security hole than $_GET or $_REQUEST, they should ALL be treats as bad data until normalized and sanitized. The claim that it

Re: [PHP] $_POST vs $_REQUEST

2010-02-22 Thread Michael Shadle
On Mon, Feb 22, 2010 at 2:07 PM, John Black s...@network-technologies.org wrote: And how is this more secure? I can create a cookie, send post or get on my client machine and send anything I want to the server. Just because you are getting a cookie does not mean that you created it :) So you

Re: [PHP] $_POST vs $_REQUEST

2010-02-22 Thread Andrew Ballard
On Mon, Feb 22, 2010 at 5:02 PM, Slack-Moehrle mailingli...@mailnewsrss.com wrote: John, Then if you use a MySQL database you would escape the string like this $tmp = mysql_real_escape_string($_REQUEST['yyy']); mysql_real_escape_string() protect from SQL injection by escaping your string

Re: [PHP] $_POST vs $_REQUEST

2010-02-22 Thread John Black
On 02/22/2010 11:17 PM, Michael Shadle wrote: Secure might be the wrong term here. As you can easily change GET to POST and vice-versa and send any cookies you like, this is why I tried to revise my statement and quantify it better... in a properly coded app it doesn't present much issue.

Re: [PHP] $_POST vs $_REQUEST

2010-02-22 Thread Daniel Egeberg
On Mon, Feb 22, 2010 at 22:37, Michael Shadle mike...@gmail.com wrote: On Mon, Feb 22, 2010 at 1:30 PM, David Murphy da...@icewatermedia.com wrote: Richard, The use of $_REQUEST it no more a security hole than $_GET or $_REQUEST, they should ALL be treats as bad data until normalized and

Re: [PHP] $_POST vs $_REQUEST

2010-02-22 Thread Michael Shadle
The difference here is you can at least have some control over the data and expect it in a certain fashion. Also the behavior of cookies vs. get vs. post are different (cookies have length and expiration limits, get has length limits, post has server confgured limits) Like I said a

Re: [PHP] $_POST vs $_REQUEST

2010-02-22 Thread Jochem Maas
Op 2/22/10 8:39 PM, Slack-Moehrle schreef: Hi All, I have Forms that I submit for processing. I have seen examples of people using either $_POST or $_REQUEST. When would I choose one over the other? use $_POST, $_REQUEST is normally an amalgam of GET, POST and COOKIE - as such using

Re: [PHP] $_POST vs $_REQUEST

2010-02-22 Thread John Black
On 02/22/2010 11:42 PM, Michael Shadle wrote: The difference here is you can at least have some control over the data and expect it in a certain fashion. Also the behavior of cookies vs. get vs. post are different (cookies have length and expiration limits, get has length limits, post has server

Re: [PHP] $_POST vs $_REQUEST

2010-02-22 Thread Ashley Sheridan
On Mon, 2010-02-22 at 23:49 +0100, John Black wrote: On 02/22/2010 11:42 PM, Michael Shadle wrote: The difference here is you can at least have some control over the data and expect it in a certain fashion. Also the behavior of cookies vs. get vs. post are different (cookies have length