Posted by "Richard Lynch" on 09/15/05 01:25

On Wed, September 14, 2005 4:03 pm, Ben wrote:
>>>using $_REQUEST you'll be oblivious. You ought to know where your
>>>variable values are coming from, $_REQUEST hides this.

I think I must object to saying "$_REQUEST" hides this.

$_REQUEST tells you it came from POST or GET (or COOKIE)

Anyway, I have several applications where both GET and POST are
supported, and behave the same, using $_REQUEST.

I really don't care if somebody wants to web-scrape with GET instead
of POST, or even if they manage to fargle their Cookies to get the
data they need.

GET, POST, and COOKIE are all equally untrustworthy in my eyes.

Lumping them into one big mess to deal with, and responding to them
"the same" makes sense to me from a Security standpoint.

And certainly providing an HTTP response to both GET/POST, not caring
which way the requestor asked for it, doesn't matter to me.

I don't think it "reduces" security to not care about whether the
request is GET or POST -- Any moron can fake up either GET or POST in
minutes. No difference, in the Big Picture.

--
Like Music?
http://l-i-e.com/artists.htm

[Back to original message]