[UPHPU] receiving with $_REQUEST
std3rr at gmail.com
Thu Feb 28 12:41:45 MST 2008
On Thu, Feb 28, 2008 at 11:28 AM, Wade Preston Shearer <
lists at wadeshearer.com> wrote:
> It's obviously wise to only post a form using GET when you absolutely
> need to or there are no security concerns involved, but what about on
> the receiving end? Are there any reasons to not always receive with
> $_REQUEST? I have heard people say that you should only use $_REQUEST
> when you absolutely need to receive from both GET and POST, but if areque
> hacker can simulate a POST just as easy as GET then how is it insecure?
> First, it's wise to use a GET when the processing is idempotent (it
doesn't affect anything permanently), as per the HTTP RFC.
Second, explicit ($_POST / $_GET versus $_REQUEST) is always better than
implicit, especially when it comes to security. Specifying the exact
request method is always preferable.
"Insert pseudo-insightful quote here." - Some Guy
More information about the UPHPU