Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:43935 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 21559 invoked from network); 14 May 2009 17:18:47 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 14 May 2009 17:18:47 -0000 Authentication-Results: pb1.pair.com header.from=mike503@gmail.com; sender-id=pass; domainkeys=bad Authentication-Results: pb1.pair.com smtp.mail=mike503@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.146.181 as permitted sender) DomainKey-Status: bad X-DomainKeys: Ecelerity dk_validate implementing draft-delany-domainkeys-base-01 X-PHP-List-Original-Sender: mike503@gmail.com X-Host-Fingerprint: 209.85.146.181 wa-out-1112.google.com Received: from [209.85.146.181] ([209.85.146.181:40392] helo=wa-out-1112.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 8A/E6-27038-6725C0A4 for ; Thu, 14 May 2009 13:18:46 -0400 Received: by wa-out-1112.google.com with SMTP id m16so528832waf.7 for ; Thu, 14 May 2009 10:18:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:date:message-id:subject :from:to:content-type:content-transfer-encoding; bh=AAcqjYgBC4gKF+OqyjSYZj0amBSxVnAxTDzPV/QBPz4=; b=EdiBq0hcPOKtBxNr1WknndxKjojDOrpyCuFCOBlLcAFZID9+qbTlkK3LDkxV2ZwzYO TXgxgKTQsdUNE7Yi5Anqxe6DRKgCTHIVhqUSHGgOwZigDzcVdQmpJjxsXAu9RqaSvBZI GPFpGjIk5acN6zUX+hNA9pkUPHUn+Mqnxfobo= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type :content-transfer-encoding; b=PsKXAOjL7QxsDH0140gmRv9YWG1ISI4FktGday8pvDflkdHT148upk5Uqrbpi8yzrT nAOplN8swUxxrQdUE7P8mrJFEELjLBa2mGB1mMGYx2MswFVDekr1IyJimtf0VyFtD/Co YH0d+znkWAlZDuTk68w1Fq3zN8i3Dz+1EYdpk= MIME-Version: 1.0 Received: by 10.114.113.16 with SMTP id l16mr2488780wac.164.1242321518441; Thu, 14 May 2009 10:18:38 -0700 (PDT) Date: Thu, 14 May 2009 10:18:38 -0700 Message-ID: To: PHP Development Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Subject: Why does $_REQUEST exist? From: mike503@gmail.com (Michael Shadle) To me, it basically creates some laziness and reintroduces a vector on the register_globals issue. I've been using $_GET $_POST $_COOKIE $_SESSION $_SERVER etc. since they were introduced, and have never had any problems. Was there a reasoning behind making a variable that essentially glues them all (well, most) together again and allows for a POST to override a GET or a SESSION var (depending on your settings of course) If people want something like $_REQUEST they can make their own $_REQUEST = array_merge($_GET, $_POST, etc) or if(isset($_GET['myvar'])) { do stuff; } elseif(isset($_POST['myvar'])) { do stuff; } I actually unset($_REQUEST) in my framework so the developers on my team can't use it. If I ever have a mixed source where I'm not sure if it it's a POST or GET, I use an example like the second one - that gives me ultimate control of the order in which I trust the variables and such. Seems to me with PHP 5.3 requiring changes to adopt and PHP 6 with code change requirements, I would personally recommend removing $_REQUEST (along with $HTTP_GET_VARS, $HTTP_POST_VARS, and all the other long versions, again, something I unset just in case some junior developer steals some code or doesn't understand the shorthand superglobal exists already...) I can see (albeit with mixed acceptance) the need to look at GET, POST, and whatever other sources $_REQUEST might pull in for some certain applications because they're not sure if it comes through. Personally I always make sure it comes through one way or the other; but I guess that is not always the case. But for those cases, there are easy enough ways to code around it, doing something like example #1, for instance. Then, you can control the order of trust wherever you use it - perhaps sometimes you want to prefer POST first, sometimes you want to prefer SESSION first, etc... I don't know of any other reasoning behind this and have brought this up with many people, possibly even this list in the past. But since changes have to occur anyway for 5.3 and 6, maybe one of those can actually implement this removal? Thanks, mike