[wp-hackers] 2 Questions: $_REQUEST equivalent and using GET
in mod_rewrite
jacobsantos at branson.com
jacobsantos at branson.com
Tue Aug 28 18:45:11 GMT 2007
I concede that with your explanation you are doing things securely enough.
I would still evaluate $_REQUEST to register globals in the hands of
people who don't know the danger. If it was me, I would test *both*
$_POST and $_GET, instead of using $_REQUEST.
I will say $_REQUEST should never be used, from my coding experiences.
Jacob Santos
Kirk Steffensen wrote:
> On 8/28/07, jacobsantos at branson.com wrote:
>
>> If you kept this and released it GPL, the first thing I will do is convert
>> it to the right super global.
>>
>
>
> If you change $_REQUEST to one of $_POST or $_GET in my code, you'll break
> it.
>
> I use it for retrieving variables that I sometimes set with a POST via form
> and sometimes set with a GET via URL. That's why $_REQUEST is there, so
> that you don't have to look at both $_POST and $_GET. And it doesn't really
> matter where it's coming from, because if it doesn't match the expected
> values (because someone is trying to hack the server), it doesn't matter,
> because none of the variables looked at with $_REQUEST can do anything other
> than break the operation of the plugin since none of them are used for admin
> functions. All the admin is done via config files on the backend. This
> isn't true of all code, but to say that you should NEVER use $_REQUEST in a
> plugin is silly.
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>
>
>
>
More information about the wp-hackers
mailing list