[UPHPU] receiving with $_REQUEST

Joshua Simpson std3rr at gmail.com
Thu Feb 28 12:41:45 MST 2008


On Thu, Feb 28, 2008 at 11:28 AM, Wade Preston Shearer <
lists at wadeshearer.com> wrote:

> It's obviously wise to only post a form using GET when you absolutely
> need to or there are no security concerns involved, but what about on
> the receiving end? Are there any reasons to not always receive with
> $_REQUEST? I have heard people say that you should only use $_REQUEST
> when you absolutely need to receive from both GET and POST, but if areque
> hacker can simulate a POST just as easy as GET then how is it insecure?
>
> First, it's wise to use a GET when the processing is idempotent (it
doesn't affect anything permanently), as per the HTTP RFC.

Second, explicit ($_POST  / $_GET versus $_REQUEST) is always better than
implicit, especially when it comes to security.  Specifying the exact
request method is always preferable.

dw

-- 
-
http://stderr.ws/
"Insert pseudo-insightful quote here." - Some Guy


More information about the UPHPU mailing list