NYCPHP Meetup

NYPHP.org

[nycphp-talk] $_REQUEST: Bad Form?

Kenneth Downs ken at secdat.com
Sat Oct 13 10:31:45 EDT 2007 

Brian D. wrote:
> I can't find where I read it originally, but somewhere I've been told
> or read that "using $_REQUEST is bad form." I understand that in cases
> where you want to force a $_POST request, but if you might receive
> $_GET or $_POST then isn't is better than doing if/elses?
>   

Others have already pointed out that for reliability sake, $_POST and 
$_GET give you direct access to user supplied data before some other 
process has interfered with it.

Originally GET and POST were intended for different purposes.  The one 
to "get" data from the server and the other to "post" data to the 
server.   In real life this means that a GET querystring is limited, 
depending on the browser, to about 2000-8000 bytes.  A POST query on the 
other hand is expected to upload files, possibly post large text fields 
and so forth and so the size of a POST is allowed to be much more than a 
GET.

But if you take large uploads out of the picture, the simple fact is 
that a GET and POST are functionally identical once the PHP script is 
executing.  Each arrives as an associative array.  If you treat them 
differently then you are doing so out of respect for conventions that 
have no direct impact on your program.   In cases like this I go back 
and forth. I will do whatever produces the most reliable code, even if 
it defies convention, but if there is nothing to be gained by defying 
convention I will try to go along so as to avoid all the free advice you 
get from the code police.


> The only related thing I could find on Google was this guy (
> http://mypetprogrammer.com/blog/?p=15 ) but he seems to erroneously
> believe that using $_POST somehow saves you from a SQL injection
> attack.
>
> I'm also thinking that some servers don't use the $_REQUEST array.
>
> Can you define why it's bad form? When is it considered acceptable to use?
>
> Thanks!
> - B.
> _______________________________________________
> New York PHP Community Talk Mailing List
> http://lists.nyphp.org/mailman/listinfo/talk
>
> NYPHPCon 2006 Presentations Online
> http://www.nyphpcon.com
>
> Show Your Participation in New York PHP
> http://www.nyphp.org/show_participation.php
>   


-- 
Kenneth Downs
Secure Data Software, Inc.
www.secdat.com    www.andromeda-project.org
631-689-7200   Fax: 631-689-0527
cell: 631-379-0010

More information about the talk mailing list