Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:35279 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 95217 invoked by uid 1010); 7 Feb 2008 04:27:26 -0000 Delivered-To: ezmlm-scan-internals@lists.php.net Delivered-To: ezmlm-internals@lists.php.net Received: (qmail 95202 invoked from network); 7 Feb 2008 04:27:26 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 7 Feb 2008 04:27:26 -0000 Authentication-Results: pb1.pair.com smtp.mail=rasmus@lerdorf.com; spf=permerror; sender-id=unknown Authentication-Results: pb1.pair.com header.from=rasmus@lerdorf.com; sender-id=unknown Received-SPF: error (pb1.pair.com: domain lerdorf.com from 204.11.219.139 cause and error) X-PHP-List-Original-Sender: rasmus@lerdorf.com X-Host-Fingerprint: 204.11.219.139 mail.lerdorf.com Received: from [204.11.219.139] ([204.11.219.139:46527] helo=mail.lerdorf.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id AC/40-20044-DA88AA74 for ; Wed, 06 Feb 2008 23:27:26 -0500 Received: from [192.168.200.117] (c-24-6-219-206.hsd1.ca.comcast.net [24.6.219.206]) (authenticated bits=0) by mail.lerdorf.com (8.14.2/8.14.2/Debian-2) with ESMTP id m174RLTA004244 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Wed, 6 Feb 2008 20:27:21 -0800 Message-ID: <47AA88A9.4000802@lerdorf.com> Date: Wed, 06 Feb 2008 20:27:21 -0800 User-Agent: Thunderbird 2.0.0.9 (Macintosh/20071031) MIME-Version: 1.0 To: Stanislav Malyshev CC: "'PHP Internals'" References: <47AA5354.7020806@zend.com> In-Reply-To: <47AA5354.7020806@zend.com> X-Enigmail-Version: 0.95.6 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Virus-Scanned: ClamAV 0.92/5721/Wed Feb 6 18:18:06 2008 on colo.lerdorf.com X-Virus-Status: Clean Subject: Re: [PHP-DEV] _REQUEST and variable_order From: rasmus@lerdorf.com (Rasmus Lerdorf) Stanislav Malyshev wrote: > Hi! > > This topic was already discussed here but never arrived to a conclusion, > so I will raise it again. > The Problem: > We have $_REQUEST superglobal, which is often used to abstract GET/POST > requests. However, in most cases we do not want GET/POST variables to > mean the same as cookie and environment variables. We can avoid that by > setting variables_order to 'GP' but then we lose _SERVER and _COOKIES > which still can be very much useful. We cannot also reliably use > something like 'CGP' since while it won't allow cookies to override > GET/POST we still have no way of not accepting cookie that has no > matching GET/POST. I think this should be cleaned up so that _REQUEST > behavior would conform its use case. > > The proposal(s): > 1. One way to fix it is to create a new .ini request_order that would > control just _REQUEST. > > 2. Other solution would be to keep variables_order but drop 'C' parsing > from _REQUEST - i.e. make _REQUEST never include cookies. I don't know > how many people really need cookies together with get/post in REQUEST. > > 3. Yet another solution would be to make superglobals independent of > variables_order - i.e. _COOKIE would always exist even if > variables_order doesn't have the letter. I actually don't see any reason > having JIT to remove any of the superglobals - if you don't use them, > with JIT you don't pay for them. And with COOKIES it's not that it would > be a big cost anyway - how many cookies could you have? > Of course, it'd be more substantial change which could break some apps > relying on some quirks of current behavior. > > So, what do you think on this? They are all about equivalent. Even #3 would need some sort of ini override since otherwise it removes some flexibility we have today. There are setups that specifically rely on disabling $_COOKIE to force code to go through other mechanisms to get at the cookies. Perhaps a combination of 1 and 2. By default drop cookies from $_REQUEST but have an ini override for the few cases where the app actually relies on this behaviour. I have seen multi-page forms where instead of bouncing previous inputs along in hidden fields it gets transmitted in cookies and they use $_REQUEST to keep track of all of the responses. -Rasmus