If a On Thu, Feb 28, 2008 at 11:43 AM, Wade Preston Shearer < [EMAIL PROTECTED]> wrote:
> On 28 Feb 2008, at 12:41, Joshua Simpson wrote: > > > Second, explicit ($_POST / $_GET versus $_REQUEST) is always better > > than > > implicit, especially when it comes to security. Specifying the exact > > request method is always preferable. > > Why? > > Because it's less strict. If you're not explicitly referencing the method, it becomes that much easier to rewrite something, unwittingly or not. Calling it a "security hole" is a misnomer; it's not technically a "security hole" - it's just a bad practice in terms of security. It's also bad form generally. As a software developer you shouldn't just handle all requests the same. If a client uses a POST method rather than a GET method as you want it to be handled, it _shouldn't_ be handled the same. You're putting all request methods in the same namespace, and it's a lazy (and not in the good way) to handle data in your application. -- - http://stderr.ws/ "Insert pseudo-insightful quote here." - Some Guy _______________________________________________ UPHPU mailing list [email protected] http://uphpu.org/mailman/listinfo/uphpu IRC: #uphpu on irc.freenode.net
