NYCPHP Meetup

NYPHP.org

[nycphp-talk] $_REQUEST: Bad Form?

Brian D. brian at realm3.com
Sun Oct 14 16:26:31 EDT 2007


The most direct answer to my original question was from Brent: "It's
bad form because you should know whether data is being passed to
you from a form or via the url."

While this is partially correct, I believe that you could run into
situations that you want to accept both (e.g., a record ID via a
hidden field or via a GET). I'm aware of the differences between POST
and GET, I just wasn't sure why using the $_REQUEST array was
considered bad form.

Another good point that was made:
"Mainly, the issue comes into play when you don't get to
design/dictate the entire site OR you count on external web developers
to call your app for some reason."

As far as I can tell there's nothing fundamentally wrong with using
$_REQUEST, but if you can control how the data is passed, more power
to you.

One last question, David, you said in reference to $_POST saving one
from SQL injections:
"You're saying it doesn't? But it still saves one from parse errors
and 404s...."

Using $_POST over $_REQUEST makes no difference in what you receive -
you'll still have to escape data that you put into a SQL query either
way. How does using $_POST save one from parse errors and 404s?

Thanks for all of the feedback.



More information about the talk mailing list