Re: notice and warning

Barry schreef:
"Erwin Moller" <Since_humans_read_this_I_am_spammed_too_much@xxxxxxxxxxxxxxxx> wrote in message news:487e1e6b$0$14347$e4fe514c@xxxxxxxxxxxxxxxxx
Jeff schreef:

<snip>

Don't use $_REQUEST[].
Use $_POST or $_GET or $_COOKIE or whatever you need, but don't use $_REQUEST.
Doing so means you don't know where your data comes from.
(Some people, like me, think it should never have been added to the language.)


Hi Barry,

Sorry for late response: I have been working way too much hours elsewhere the last few days. Back now. :-)


what's wrong with $_REQUEST, erwin? i use it as standard practice. i have the order set in the php.ini to my liking - it happens to be the default. if i need to get fussy where my data is coming from, then i specifically use the one i need, i.e. $_POST/GET/COOKIE et. al.. using $_REQUEST scales better also since you may change your implementation on how the script is being called/used. being specific when not needed means you'll have to re-write that portion of the script...not so with $_REQUEST.

just wondering what your reasoning is.


An example:
You expect some piece of data from a post in your script, eg: userid.
So you use $_REQUEST["userid"] which works perfectly fine as long as you get the userid in via POST.
Let's say this script deletes user the user: userdelete.php
So we have userdelete.php that expects a userid from POST.

Now suppose you leave your fine-running app for a year or so, untill your client wants some upgrades to it.
In some unrelated part of your app you decide to store a userid in the $_SESSION so you have it easy at hand on some other pages. The userid contains the userid of the currently logged in user.

Now you find yourself in the situation that when you call this script for any reason without the POST info, you will delete yourself if you prefer $_REQUEST over $_POST.

Same can happen with get of course.

Of course, all this can be avoided easily if your program perfectly and never make mistakes, but I doubt that. ;-)

So, in my opinion, it is always better to state where you get your data from.

If we stick to your example: You say using $_REQUEST scales better.
I say it bugs better. ;-)

Regards,
Erwin Moller
.

Relevant Pages

  • Re: notice and warning
    ... You expect some piece of data from a post in your script, eg: userid. ... never make mistakes, but I doubt that. ... post/get/cookie 'rule' and he'll kill your how dataset of users ...
    (comp.lang.php)
  • Re: notice and warning
    ... You expect some piece of data from a post in your script, eg: userid. ... prefer $_REQUEST over $_POST. ... in this instance, it scales more 'easily'. ...
    (comp.lang.php)
  • Re: notice and warning
    ... You expect some piece of data from a post in your script, ... So you use $_REQUEST["userid"] which works perfectly fine as long as you get the userid in via POST. ... Now you find yourself in the situation that when you call this script for any reason without the POST info, you will delete yourself if you prefer $_REQUEST over $_POST. ... They only have to do good clean programming, which is of course the first step to secure applications. ...
    (comp.lang.php)
  • Re: simple login script issue
    ... This script is called auth.php as in included in all of the pages I ... Example SELECT * FROM messages WHERE userid = $userid ORDER by ... I only allow a VERY restrictive set of characters for the username ...
    (alt.php)
  • LDAP search in subdomains
    ... I found a script to search for a userid in the AD. ... Set Connection = CreateObject ... My userid is in the domain eu and if I start the seach for eu it is working. ...
    (microsoft.public.windows.server.scripting)
Quantcast