2008/11/4 Maciek Sokolewicz <[EMAIL PROTECTED]>: > Lars Torben Wilson wrote: >> >> Hi all, >> >> This patch is to address a working error I stumbled across today in >> the documentation for $_REQUEST. >> >> RCS file: >> /repository/phpdoc/en/language/predefined/variables/request.xml,v >> retrieving revision 1.6 >> diff -u -u -r1.6 request.xml >> --- en/language/predefined/variables/request.xml 23 Aug 2008 >> 15:40:21 -0000 1.6 >> +++ en/language/predefined/variables/request.xml 4 Nov 2008 >> 07:13:13 -0000 >> @@ -71,9 +71,11 @@ >> </note> >> <note> >> <para> >> - Variables provided to the script via the GET, POST, and COOKIE input >> - mechanisms, and which therefore cannot be trusted. The presence and >> - order of variable inclusion in this array is defined according to the >> + The variables in <varname>$_REQUEST</varname> are provided to the >> + script via the GET, POST, and COOKIE input mechanisms and >> + therefore could be modified by the remote user and cannot be >> + trusted. The presence and order of variables listed in this array >> + is defined according to the >> PHP <link linkend="ini.variables-order">variables_order</link> >> configuration directive. >> </para> >> >> >> Regards, >> >> Torben > > What error? You simply reworded the text a bit to highlight what you see as > the most important reason not to trust userdata ? > > - Tul
Hi Tul, Nope. The sentence "Variables provided to the script via the GET, POST, and COOKIE input mechanisms, and which therefore cannot be trusted." does not make any sense. At the very least it would have to be reworded to something like "Variables are provided to the script via the GET, POST, and COOKIE input mechanisms, and therefore cannot be trusted." in order to make sense. I took the opportunity to add a bit more information about why they cannot be trusted because let's face it: if the reader doesn't know that userdata cannot be trusted, they probably won't know any of the reasons why. Regards, Torben
