Posted by Edward Vermillion on 09/15/05 00:30

Dan Baker wrote:
> "Ben" <ben@emediastudios.com> wrote in message

[snip]

> Interesting, but I think I wouldn't spend the extra code to detect if I was
> expecting a POST, but got a GET. If I didn't get the value from POST, I'd
> just assume it wasn't there -- I wouldn't go looking elsewhere for it, and
> report an error.
>

There's no extra code with !empty($_POST['whatever']). They didn't send
the information in the correct format (as a $_POST), so more than likely
it's someone trying to do something funny. So ignore it or whatever.
It's a real fast way to check if the data your getting came from your
form. You still need to do all the other checks too.

I see it not as a real security measure per se, but more like an initial
check to make sure what I'm getting from my forms (may) have really came
from my forms. If you can eliminate some funn business right off the bat
then you don't have to do any extra processing on what most probably is
bad data.

[snip]

>>And the lazy guy answer... typing $_POST and $_GET is faster than typing
>>$_REQUEST ;-).
>
>
> This is, by far, the best reason I've ever heard! <grin>
>
> DanB
>

I'd agree with that one too! ;)

[Back to original message]