[nycphp-talk] $_REQUEST: Bad Form?
Kenneth Downs
ken at secdat.com
Sat Oct 13 10:31:45 EDT 2007
Brian D. wrote:
> I can't find where I read it originally, but somewhere I've been told
> or read that "using $_REQUEST is bad form." I understand that in cases
> where you want to force a $_POST request, but if you might receive
> $_GET or $_POST then isn't is better than doing if/elses?
>
Others have already pointed out that for reliability sake, $_POST and
$_GET give you direct access to user supplied data before some other
process has interfered with it.
Originally GET and POST were intended for different purposes. The one
to "get" data from the server and the other to "post" data to the
server. In real life this means that a GET querystring is limited,
depending on the browser, to about 2000-8000 bytes. A POST query on the
other hand is expected to upload files, possibly post large text fields
and so forth and so the size of a POST is allowed to be much more than a
GET.
But if you take large uploads out of the picture, the simple fact is
that a GET and POST are functionally identical once the PHP script is
executing. Each arrives as an associative array. If you treat them
differently then you are doing so out of respect for conventions that
have no direct impact on your program. In cases like this I go back
and forth. I will do whatever produces the most reliable code, even if
it defies convention, but if there is nothing to be gained by defying
convention I will try to go along so as to avoid all the free advice you
get from the code police.
> The only related thing I could find on Google was this guy (
> http://mypetprogrammer.com/blog/?p=15 ) but he seems to erroneously
> believe that using $_POST somehow saves you from a SQL injection
> attack.
>
> I'm also thinking that some servers don't use the $_REQUEST array.
>
> Can you define why it's bad form? When is it considered acceptable to use?
>
> Thanks!
> - B.
> _______________________________________________
> New York PHP Community Talk Mailing List
> http://lists.nyphp.org/mailman/listinfo/talk
>
> NYPHPCon 2006 Presentations Online
> http://www.nyphpcon.com
>
> Show Your Participation in New York PHP
> http://www.nyphp.org/show_participation.php
>
--
Kenneth Downs
Secure Data Software, Inc.
www.secdat.com www.andromeda-project.org
631-689-7200 Fax: 631-689-0527
cell: 631-379-0010
More information about the talk
mailing list