On 15.05.2009, at 10:22, Rasmus Lerdorf wrote:
Michael Shadle wrote:
On Thu, May 14, 2009 at 3:03 PM, Nathan Rixham <nrix...@gmail.com>
wrote:
bc? all the reasoning in the world won't justify it to 1 million
businesses
running php 4 code which is reliant on $_REQUEST behind the scenes.
although it would generate a tonne of freelance work :p
that code has to change for 5.3 or 6.0 anyway.
now is the time to yank out some of the legacy crap. we don't want
PHP
to be like windows, do we?
The more stuff like this we remove, the harder it becomes for people
to
quickly move to newer, faster and more secure versions of PHP. That
causes way more frustration for everyone than a few "ugly" legacy
features. If there is a decent technical reason, performance or
security, then we need to take a hard look at it. In this case, the
thing we should be looking at isn't whether we should remove $_REQUEST
but whether we should remove cookie data from it. Many configurations
already do that, including all of my own, and there is a strong valid
security reason for not including cookies in $_REQUEST. Most people
use
$_REQUEST to mean GET or POST, not realizing that it could also
contain
cookies and as such bad guys could potentially do some cookie
injection
tricks and break naive applications.
Its already fixed in 5.3. There is a new ini option that defines what
should go into $_REQUEST. See the following blog post for details:
http://www.suspekt.org/2008/10/01/php-53-and-delayed-cross-site-request-forgerieshijacking/
Also a lot of work was put into restructuring the php.ini files we
ship with PHP.
regards,
Lukas Kahwe Smith
m...@pooteeweet.org
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
