NYCPHP Meetup

NYPHP.org

[nycphp-talk] Manipulating $_REQUEST Directly

Peter Sawczynec ps at sun-code.com
Thu Jul 19 10:53:43 EDT 2007 

First, I want to say thanks for your solid reply.

Yet, below is a snippet of PHP.net documentation on $_REQUEST which shows that $_COOKIE is also found within $_REQUEST. 

//*****************
//START PHP.net Quote

Request variables: $_REQUEST 
Note: Introduced in 4.1.0. There is no equivalent array in earlier versions. 
Note: Prior to PHP 4.3.0, $_FILES information was also included in $_REQUEST. 
An associative array consisting of the contents of $_GET, $_POST, and $_COOKIE. 

//END PHP.net Quote
//*****************


So what I need to know is:

1) By unsetting/eliminating $_REQUEST vars are we also actually unsetting/eliminating cookie vars at the same time.

or 

2) All these PHP arrays ($_REQUEST, $_GET, $_SESSION, $_COOKIE ... ...) are all independent of each other and carry their values discretely and basically sometimes in duplicate of each other. And manipulating the contents of one set of globals vars does not change the other set of global vars during this script run... or what?


Peter

-----Original Message-----
From: talk-bounces at lists.nyphp.org [mailto:talk-bounces at lists.nyphp.org] On Behalf Of csnyder
Sent: Tuesday, July 17, 2007 10:57 AM
To: NYPHP Talk
Subject: Re: [nycphp-talk] Manipulating $_REQUEST Directly

On 7/16/07, Peter Sawczynec <ps at sun-code.com> wrote:
> I have inherited some old legacy code that down and dirty uses $_REQUEST
> to universally grab all varibales from combined GET and/or POST form
> submissions.
>
> So I want to be equally blunt and directly chop up and massage $_REQUEST
> before any code handles it.
>
> I want to have an array of acceptable "white list" $_REQUEST variable
> names I am looking for, allow those to remain in the $_REQUEST array,
> but I want all other $_REQUEST variables removed/destroyed out of
> $_REQUEST.
>
> Then simply allow the the remaining "white list" $_REQUEST to flow into
> the code.

Down and dirty calls for a foreach. ;-)

foreach( $_REQUEST AS $key=>$val ) {
  if ( !in_array( $key, $whitelist ) ) {
    unset( $_REQUEST[ $key ] );
  }
  else {
    // do you have validation routines?
    // whitelist could include type info for validation...
    switch( $whitelist[ $key ] ) {
      case 'text':
        $_REQUEST[ $key ] = validated_text( $val );
        break;
    }
  // end else
  }
// end foreach
}

Maybe you were looking for something more efficient, but being able to
independently validate the values might make it worth a few extra
cycles, depending on whether the downstream code performs validation.

-- 
Chris Snyder
http://chxo.com/
_______________________________________________
New York PHP Community Talk Mailing List
http://lists.nyphp.org/mailman/listinfo/talk

NYPHPCon 2006 Presentations Online
http://www.nyphpcon.com

Show Your Participation in New York PHP
http://www.nyphp.org/show_participation.php

More information about the talk mailing list