On Jan 6, 2008 5:06 AM, Stefan Esser <[EMAIL PROTECTED]> wrote:
> Hello Daniel,
> > It may be off-topic for the initial post, but I disagree
> > wholeheartedly with the above statement, Stefan. There are
> > innumerable reasons where $_REQUEST would be much more economic than
> > writing out all conditions for $_POST, $_GET, $_SESSION, $_COOKIE....
> >
> it doesn't matter if you disagree with my statement, because that is
> just another personal opinion. It is a known fact that using $_REQUEST
> usually introduces security holes in applications.
> There is always $_COOKIE merged into it, which overwrites $_GET and
> $_POST. That means I just need to infect your browser with a cookie and
> have delayed cross site forgeries all over the place...
Believe me, I'm not saying you're wrong, because in 99%
(figurative, of course) of the production environments, $_REQUEST is a
horrible idea. However, my opinion is just that there is a time and
place for it, and it shouldn't be written off completely.
For the record, I don't use it myself (save for scripts I write to
generate random number lists on my local dev box), it just isn't fair
to dismiss it with prejudice.
--
Daniel P. Brown
[Phone Numbers Go Here!]
[They're Hidden From View!]
If at first you don't succeed, stick to what you know best so that you
can make enough money to pay someone else to do it for you.
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
