[UPHPU] receiving with $_REQUEST

Joshua Simpson std3rr at gmail.com
Thu Feb 28 12:57:41 MST 2008


If a
On Thu, Feb 28, 2008 at 11:43 AM, Wade Preston Shearer <
lists at wadeshearer.com> wrote:

> On 28 Feb 2008, at 12:41, Joshua Simpson wrote:
>
> > Second, explicit ($_POST  / $_GET versus $_REQUEST) is always better
> > than
> > implicit, especially when it comes to security.  Specifying the exact
> > request method is always preferable.
>
> Why?
>
>
Because it's less strict.  If you're not explicitly referencing the method,
it becomes that much easier to rewrite something, unwittingly or not.
Calling it a "security hole" is a misnomer;  it's not technically a
"security hole" - it's just a bad practice in terms of security.  It's also
bad form generally.  As a software developer you shouldn't just handle all
requests the same.  If a client uses a POST method rather than a GET method
as you want it to be handled, it _shouldn't_ be handled the same.  You're
putting all request methods in the same namespace, and it's a lazy (and not
in the good way) to handle data in your application.


-- 
-
http://stderr.ws/
"Insert pseudo-insightful quote here." - Some Guy


More information about the UPHPU mailing list