On Thu, Feb 28, 2008 at 11:28 AM, Wade Preston Shearer < [EMAIL PROTECTED]> wrote:
> It's obviously wise to only post a form using GET when you absolutely > need to or there are no security concerns involved, but what about on > the receiving end? Are there any reasons to not always receive with > $_REQUEST? I have heard people say that you should only use $_REQUEST > when you absolutely need to receive from both GET and POST, but if areque > hacker can simulate a POST just as easy as GET then how is it insecure? > > First, it's wise to use a GET when the processing is idempotent (it doesn't affect anything permanently), as per the HTTP RFC. Second, explicit ($_POST / $_GET versus $_REQUEST) is always better than implicit, especially when it comes to security. Specifying the exact request method is always preferable. dw -- - http://stderr.ws/ "Insert pseudo-insightful quote here." - Some Guy _______________________________________________ UPHPU mailing list [email protected] http://uphpu.org/mailman/listinfo/uphpu IRC: #uphpu on irc.freenode.net
