Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:43963 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 39036 invoked from network); 14 May 2009 22:03:09 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 14 May 2009 22:03:09 -0000 Authentication-Results: pb1.pair.com smtp.mail=nrixham@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=nrixham@gmail.com; sender-id=pass; domainkeys=bad Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.219.166 as permitted sender) DomainKey-Status: bad X-DomainKeys: Ecelerity dk_validate implementing draft-delany-domainkeys-base-01 X-PHP-List-Original-Sender: nrixham@gmail.com X-Host-Fingerprint: 209.85.219.166 mail-ew0-f166.google.com Received: from [209.85.219.166] ([209.85.219.166:63876] helo=mail-ew0-f166.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 11/B0-27038-D159C0A4 for ; Thu, 14 May 2009 18:03:09 -0400 Received: by ewy10 with SMTP id 10so1994078ewy.23 for ; Thu, 14 May 2009 15:03:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from :user-agent:mime-version:to:cc:subject:references:in-reply-to :content-type:content-transfer-encoding; bh=YGAIWLStwcbm8+nFwYViAO7utXkhycrFGMx48nVLwnY=; b=aPVrYVlIF7Ke8dVYK7rF6tC37/QaptV+I35sL5iuEbq22f8fE9AwlDOxAKghDCDe1b 284tZ1aCOkOmdsNV0CK8CpEC0nwFa67KfaIQHVztwICJwL9ufyqVMv1VREWfdzAmiTSS 9KAOiorsX9fY7VMiiCJ+toXiI8l2s6pBczrK4= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; b=iKypY/KCNehIoiEKAoDreK+BP0ryPVCy+nidihFBYh3UElweJohuhZedGBwzLGWc/b 2FagsvAP/5Gk/7UB6avLRuW9PQEyJilDjlaUjHjIfWChfye7kmRYSKWKHX6akbQZxR4r AeCwkeNwudKaOw4/0vZHUUvWDFYlk+0kwfp1E= Received: by 10.210.44.11 with SMTP id r11mr92964ebr.30.1242338586670; Thu, 14 May 2009 15:03:06 -0700 (PDT) Received: from ?192.168.2.5? (82-41-135-70.cable.ubr02.grth.blueyonder.co.uk [82.41.135.70]) by mx.google.com with ESMTPS id 20sm608707ewy.17.2009.05.14.15.03.06 (version=TLSv1/SSLv3 cipher=RC4-MD5); Thu, 14 May 2009 15:03:06 -0700 (PDT) Message-ID: <4A0C9516.8060808@gmail.com> Date: Thu, 14 May 2009 23:03:02 +0100 User-Agent: Thunderbird 2.0.0.21 (Windows/20090302) MIME-Version: 1.0 To: Michael Shadle CC: PHP Development References: In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: Why does $_REQUEST exist? From: nrixham@gmail.com (Nathan Rixham) Michael Shadle wrote: > To me, it basically creates some laziness and reintroduces a vector on > the register_globals issue. > > I've been using $_GET $_POST $_COOKIE $_SESSION $_SERVER etc. since > they were introduced, and have never had any problems. Was there a > reasoning behind making a variable that essentially glues them all > (well, most) together again and allows for a POST to override a GET or > a SESSION var (depending on your settings of course) > > If people want something like $_REQUEST they can make their own > > $_REQUEST = array_merge($_GET, $_POST, etc) > > or > > if(isset($_GET['myvar'])) { > do stuff; > } elseif(isset($_POST['myvar'])) { > do stuff; > } > > I actually unset($_REQUEST) in my framework so the developers on my > team can't use it. If I ever have a mixed source where I'm not sure if > it it's a POST or GET, I use an example like the second one - that > gives me ultimate control of the order in which I trust the variables > and such. > > Seems to me with PHP 5.3 requiring changes to adopt and PHP 6 with > code change requirements, I would personally recommend removing > $_REQUEST (along with $HTTP_GET_VARS, $HTTP_POST_VARS, and all the > other long versions, again, something I unset just in case some junior > developer steals some code or doesn't understand the shorthand > superglobal exists already...) > > I can see (albeit with mixed acceptance) the need to look at GET, > POST, and whatever other sources $_REQUEST might pull in for some > certain applications because they're not sure if it comes through. > Personally I always make sure it comes through one way or the other; > but I guess that is not always the case. But for those cases, there > are easy enough ways to code around it, doing something like example > #1, for instance. Then, you can control the order of trust wherever > you use it - perhaps sometimes you want to prefer POST first, > sometimes you want to prefer SESSION first, etc... > > I don't know of any other reasoning behind this and have brought this > up with many people, possibly even this list in the past. But since > changes have to occur anyway for 5.3 and 6, maybe one of those can > actually implement this removal? > > Thanks, > mike bc? all the reasoning in the world won't justify it to 1 million businesses running php 4 code which is reliant on $_REQUEST behind the scenes. although it would generate a tonne of freelance work :p