[UPHPU] receiving with $_REQUEST

Joshua Simpson std3rr at gmail.com
Thu Feb 28 14:00:38 MST 2008


On Thu, Feb 28, 2008 at 12:20 PM, Wade Preston Shearer <
lists at wadeshearer.com> wrote:

> > Because it's less strict.  If you're not explicitly referencing the
> > method,
> > it becomes that much easier to rewrite something, unwittingly or not.
>
> Isn't that a plus?
>

No, no, no, I mean, rewriting in the bad way.  Let's say you have a GET
variable called "loginid".  You access it via $_REQUEST.  What if you
include a script that you or another developer wrote that resets
$_COOKIE['loginid'] ?  Your $_REQUEST will now access the cookie value, not
the GET value.


> As long as there are no security problems, isn't this flexibility a
> good thing?
>

Not at all.  There are reasons why the RFC  defines GET, POST, PUT, DELETE,
etc, differently.  You should know which method is being used, and you
shouldn't access them all the same way.  There's absolutely no reason for
$_REQUEST to even exist in PHP.  Read the RFC [1], please.  There's no
excuse for a web developer not to have the HTTP RFC down pat.


dw

1: http://www.faqs.org/rfcs/rfc2616.html
-- 
-
http://stderr.ws/
"Insert pseudo-insightful quote here." - Some Guy


More information about the UPHPU mailing list