As long as there are no security problems, isn't this flexibility a
good thing?
Not at all. There are reasons why the RFC defines GET, POST, PUT,
DELETE,
etc, differently. You should know which method is being used, and you
shouldn't access them all the same way. There's absolutely no
reason for
$_REQUEST to even exist in PHP. Read the RFC [1], please. There's no
excuse for a web developer not to have the HTTP RFC down pat.
Agreed.
For example, you might offer a one-click purchase button:
<form action="https://www.yourcompany.com/cart.php"; method="post">
<input type="hidden" name="product_id" value="12345" />
<input type="submit" name="submit" value="Buy this product now" />
</form>
If you use $_REQUEST instead of $_POST, then visiting the following
URL will also cause your product to be purchased:
https://www.yourcompany.com/cart.php?product_id=12345&submit=Buy%20this%20product%20now
Now, let's say a hacker embeds the above URL in his MySpace page as an
image.
<img src="https://www.yourcompany.com/cart.php?product_id=12345&submit=Buy%20this%20product%20now
" />
Any of your previously authenticated customers who visit this hacker's
MySpace page will automatically purchase your product without knowing
it.
This is called cross-site request forgery (CSRF):
http://en.wikipedia.org/wiki/Cross-site_request_forgery
_______________________________________________
UPHPU mailing list
[email protected]
http://uphpu.org/mailman/listinfo/uphpu
IRC: #uphpu on irc.freenode.net
