On Jan 6, 2008 5:06 AM, Stefan Esser <[EMAIL PROTECTED]> wrote: > Hello Daniel, > > It may be off-topic for the initial post, but I disagree > > wholeheartedly with the above statement, Stefan. There are > > innumerable reasons where $_REQUEST would be much more economic than > > writing out all conditions for $_POST, $_GET, $_SESSION, $_COOKIE.... > > > it doesn't matter if you disagree with my statement, because that is > just another personal opinion. It is a known fact that using $_REQUEST > usually introduces security holes in applications. > There is always $_COOKIE merged into it, which overwrites $_GET and > $_POST. That means I just need to infect your browser with a cookie and > have delayed cross site forgeries all over the place...
Believe me, I'm not saying you're wrong, because in 99% (figurative, of course) of the production environments, $_REQUEST is a horrible idea. However, my opinion is just that there is a time and place for it, and it shouldn't be written off completely. For the record, I don't use it myself (save for scripts I write to generate random number lists on my local dev box), it just isn't fair to dismiss it with prejudice. -- Daniel P. Brown [Phone Numbers Go Here!] [They're Hidden From View!] If at first you don't succeed, stick to what you know best so that you can make enough money to pay someone else to do it for you. -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php