[UPHPU] receiving with $_REQUEST
Joshua Simpson
std3rr at gmail.com
Thu Feb 28 12:57:41 MST 2008
If a
On Thu, Feb 28, 2008 at 11:43 AM, Wade Preston Shearer <
lists at wadeshearer.com> wrote:
> On 28 Feb 2008, at 12:41, Joshua Simpson wrote:
>
> > Second, explicit ($_POST / $_GET versus $_REQUEST) is always better
> > than
> > implicit, especially when it comes to security. Specifying the exact
> > request method is always preferable.
>
> Why?
>
>
Because it's less strict. If you're not explicitly referencing the method,
it becomes that much easier to rewrite something, unwittingly or not.
Calling it a "security hole" is a misnomer; it's not technically a
"security hole" - it's just a bad practice in terms of security. It's also
bad form generally. As a software developer you shouldn't just handle all
requests the same. If a client uses a POST method rather than a GET method
as you want it to be handled, it _shouldn't_ be handled the same. You're
putting all request methods in the same namespace, and it's a lazy (and not
in the good way) to handle data in your application.
--
-
http://stderr.ws/
"Insert pseudo-insightful quote here." - Some Guy
More information about the UPHPU
mailing list