[nycphp-talk] $_REQUEST: Bad Form?
Brent Baisley
brenttech at gmail.com
Fri Oct 12 15:33:07 EDT 2007
It's bad form because you should know whether data is being passed to
you from a form or via the url. You can post a form to a url that
contains parameters, in which case some data will be in the $_GET
array and some in the $_POST array. What happens if you have a
parameter in the url with the same name as a form field? One of them
will be missing in the $_REQUEST array.
If you don't know which way a piece of data will be coming in, then
you probably have a poorly designed site.
The other thing to remember is that a url (meaning what's in the
$_GET), gets recorded in the web server log. An unencrypted, plain
text file. Nothing private she get recorded there.
The rule to follow is that $_GET should be used to retrieve data from
the server, $_POST should be used to pass data to the server.
On 10/12/07, Brian D. <brian at realm3.com> wrote:
> I can't find where I read it originally, but somewhere I've been told
> or read that "using $_REQUEST is bad form." I understand that in cases
> where you want to force a $_POST request, but if you might receive
> $_GET or $_POST then isn't is better than doing if/elses?
>
> The only related thing I could find on Google was this guy (
> http://mypetprogrammer.com/blog/?p=15 ) but he seems to erroneously
> believe that using $_POST somehow saves you from a SQL injection
> attack.
>
> I'm also thinking that some servers don't use the $_REQUEST array.
>
> Can you define why it's bad form? When is it considered acceptable to use?
>
> Thanks!
> - B.
> _______________________________________________
> New York PHP Community Talk Mailing List
> http://lists.nyphp.org/mailman/listinfo/talk
>
> NYPHPCon 2006 Presentations Online
> http://www.nyphpcon.com
>
> Show Your Participation in New York PHP
> http://www.nyphp.org/show_participation.php
>
More information about the talk
mailing list