[wp-hackers] 2 Questions: $_REQUEST equivalent and using GET in mod_rewrite

jacobsantos at branson.com jacobsantos at branson.com
Tue Aug 28 18:45:11 GMT 2007


I concede that with your explanation you are doing things securely enough.

I would still evaluate $_REQUEST to register globals in the hands of 
people who don't know the danger. If it was me, I would test *both* 
$_POST and $_GET, instead of using $_REQUEST.

I will say $_REQUEST should never be used, from my coding experiences.

Jacob Santos


Kirk Steffensen wrote:
> On 8/28/07, jacobsantos at branson.com wrote:
>   
>> If you kept this and released it GPL, the first thing I will do is convert
>> it to the right super global.
>>     
>
>
> If you change $_REQUEST to one of $_POST or $_GET in my code, you'll break
> it.
>
> I use it for retrieving variables that I sometimes set with a POST via form
> and sometimes set with a GET via URL.  That's why $_REQUEST is there, so
> that you don't have to look at both $_POST and $_GET.  And it doesn't really
> matter where it's coming from, because if it doesn't match the expected
> values (because someone is trying to hack the server), it doesn't matter,
> because none of the variables looked at with $_REQUEST can do anything other
> than break the operation of the plugin since none of them are used for admin
> functions.  All the admin is done via config files on the backend.  This
> isn't true of all code, but to say that you should NEVER use $_REQUEST in a
> plugin is silly.
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>
>
>
>   



More information about the wp-hackers mailing list