Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:35280
Return-Path: <sam@sambarrow.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 2358 invoked by uid 1010); 7 Feb 2008 04:45:28 -0000
Delivered-To: ezmlm-scan-internals@lists.php.net
Delivered-To: ezmlm-internals@lists.php.net
Received: (qmail 2342 invoked from network); 7 Feb 2008 04:45:28 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 7 Feb 2008 04:45:28 -0000
Authentication-Results: pb1.pair.com header.from=sam@sambarrow.com; sender-id=unknown
Authentication-Results: pb1.pair.com smtp.mail=sam@sambarrow.com; spf=permerror; sender-id=unknown
Received-SPF: error (pb1.pair.com: domain sambarrow.com from 205.234.132.11 cause and error)
X-PHP-List-Original-Sender: sam@sambarrow.com
X-Host-Fingerprint: 205.234.132.11 scottsdale.servershost.net  
Received: from [205.234.132.11] ([205.234.132.11:44151] helo=scottsdale.servershost.net)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 33/B1-20044-7DC8AA74 for <internals@lists.php.net>; Wed, 06 Feb 2008 23:45:28 -0500
Received: from 208-58-196-175.c3-0.slvr-ubr1.lnh-slvr.md.cable.rcn.com ([208.58.196.175]:50487 helo=[192.168.1.88])
	by scottsdale.servershost.net with esmtpsa (SSLv3:AES256-SHA:256)
	(Exim 4.68)
	(envelope-from <sam@sambarrow.com>)
	id 1JMydK-0000Ei-C9; Wed, 06 Feb 2008 22:45:10 -0600
To: Rasmus Lerdorf <rasmus@lerdorf.com>
Cc: Stanislav Malyshev <stas@zend.com>, 'PHP Internals' <internals@lists.php.net>
In-Reply-To: <47AA88A9.4000802@lerdorf.com>
References: <47AA5354.7020806@zend.com>  <47AA88A9.4000802@lerdorf.com>
Content-Type: text/plain
Date: Wed, 06 Feb 2008 23:45:09 -0500
Message-ID: <1202359509.12780.9.camel@sams-room>
Mime-Version: 1.0
X-Mailer: Evolution 2.12.1 
Content-Transfer-Encoding: 7bit
X-Antivirus-Scanner: Clean mail though you should still use an Antivirus
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - scottsdale.servershost.net
X-AntiAbuse: Original Domain - lists.php.net
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - sambarrow.com
X-Source: 
X-Source-Args: 
X-Source-Dir: 
Subject: Re: [PHP-DEV] _REQUEST and variable_order
From: sam@sambarrow.com (Sam Barrow)


On Wed, 2008-02-06 at 20:27 -0800, Rasmus Lerdorf wrote:
> Stanislav Malyshev wrote:
> > Hi!
> > 
> > This topic was already discussed here but never arrived to a conclusion, 
> > so I will raise it again.
> > The Problem:
> > We have $_REQUEST superglobal, which is often used to abstract GET/POST 
> > requests. However, in most cases we do not want GET/POST variables to 
> > mean the same as cookie and environment variables. We can avoid that by 
> > setting variables_order to 'GP' but then we lose _SERVER and _COOKIES 
> > which still can be very much useful. We cannot also reliably use 
> > something like 'CGP' since while it won't allow cookies to override 
> > GET/POST we still have no way of not accepting cookie that has no 
> > matching GET/POST. I think this should be cleaned up so that _REQUEST 
> > behavior would conform its use case.
> > 
> > The proposal(s):
> > 1. One way to fix it is to create a new .ini request_order that would 
> > control just _REQUEST.
> > 
> > 2. Other solution would be to keep variables_order but drop 'C' parsing 
> > from _REQUEST - i.e. make _REQUEST never include cookies. I don't know 
> > how many people really need cookies together with get/post in REQUEST.
> > 
> > 3. Yet another solution would be to make superglobals independent of 
> > variables_order - i.e. _COOKIE would always exist even if 
> > variables_order doesn't have the letter. I actually don't see any reason 
> > having JIT to remove any of the superglobals - if you don't use them, 
> > with JIT you don't pay for them. And with COOKIES it's not that it would 
> > be a big cost anyway - how many cookies could you have?
> > Of course, it'd be more substantial change which could break some apps 
> > relying on some quirks of current behavior.
> > 
> > So, what do you think on this?
> 
> They are all about equivalent.  Even #3 would need some sort of ini
> override since otherwise it removes some flexibility we have today.
> There are setups that specifically rely on disabling $_COOKIE to force
> code to go through other mechanisms to get at the cookies.
> 
> Perhaps a combination of 1 and 2.  By default drop cookies from
> $_REQUEST but have an ini override for the few cases where the app
> actually relies on this behaviour.  I have seen multi-page forms where
> instead of bouncing previous inputs along in hidden fields it gets
> transmitted in cookies and they use $_REQUEST to keep track of all of
> the responses.

True. Why not an ini setting, request_variables that works the same as
variables_order, just for $_REQUEST.

> -Rasmus
>