View Single Post
03-17-2008, 02:25 AM
Join Date: Apr 2007
Village Idiot, I invite you to explain how using $_REQUEST presents a possible security risk above and beyond anything already available for $_GET/POST/COOKIE individually. It's all well and good saying "if exploited right, a security risk" but how are folks to learn if they're told how that risk is put into place and why?
To change the order in which the variables are parsed into $_REQUEST, you can use the
) php.ini directive which is "EGPCS" by default meaning that the order is ENVIRONMENT, GET, POST, COOKIE then finally SERVER. For the sake of $_REQUEST, if both $_GET['action'] and $_POST['action'] exist, then $_REQUEST['action'] will be given the value of whatever comes last in the
list (so, POST by default). Note: ENV and SERVER values aren't mushed into the REQUEST superglobal variable, just GET/POST/COOKIE.
I can't remember the last time that I used $_REQUEST in anything other than experimenting -- I've no reason in my everyday code to cater for one item of user input coming in from more than one place and if that were the case I'd likely want to know
place it came from anyway.
The Following User Says Thank You to Salathe For This Useful Post:
View Public Profile
Send a private message to Salathe
Visit Salathe's homepage!
Find More Posts by Salathe