Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:43973
Return-Path: <rasmus@lerdorf.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 9715 invoked from network); 15 May 2009 08:22:39 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 15 May 2009 08:22:39 -0000
Authentication-Results: pb1.pair.com smtp.mail=rasmus@lerdorf.com; spf=permerror; sender-id=unknown
Authentication-Results: pb1.pair.com header.from=rasmus@lerdorf.com; sender-id=unknown
Received-SPF: error (pb1.pair.com: domain lerdorf.com from 209.85.218.161 cause and error)
X-PHP-List-Original-Sender: rasmus@lerdorf.com
X-Host-Fingerprint: 209.85.218.161 mail-bw0-f161.google.com  
Received: from [209.85.218.161] ([209.85.218.161:53528] helo=mail-bw0-f161.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id CB/BC-27038-E462D0A4 for <internals@lists.php.net>; Fri, 15 May 2009 04:22:39 -0400
Received: by bwz5 with SMTP id 5so1919771bwz.23
        for <internals@lists.php.net>; Fri, 15 May 2009 01:22:35 -0700 (PDT)
Received: by 10.103.168.12 with SMTP id v12mr712240muo.67.1242375755664;
        Fri, 15 May 2009 01:22:35 -0700 (PDT)
Received: from Macintosh-401.local (host81-99-static.42-85-b.business.telecomitalia.it [85.42.99.81])
        by mx.google.com with ESMTPS id 25sm308370mul.29.2009.05.15.01.22.34
        (version=TLSv1/SSLv3 cipher=RC4-MD5);
        Fri, 15 May 2009 01:22:34 -0700 (PDT)
Message-ID: <4A0D2648.3050802@lerdorf.com>
Date: Fri, 15 May 2009 10:22:32 +0200
User-Agent: Thunderbird 2.0.0.18 (Macintosh/20081105)
MIME-Version: 1.0
To: Michael Shadle <mike503@gmail.com>
CC: Nathan Rixham <nrixham@gmail.com>, 
 PHP Development <internals@lists.php.net>
References: <bd9320b30905141018q1ebeb994t9676d4d5085a0d6b@mail.gmail.com>	 <4A0C9516.8060808@gmail.com> <bd9320b30905141733l424179eak67bd287fc134a74d@mail.gmail.com>
In-Reply-To: <bd9320b30905141733l424179eak67bd287fc134a74d@mail.gmail.com>
X-Enigmail-Version: 0.95.7
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
Subject: Re: [PHP-DEV] Re: Why does $_REQUEST exist?
From: rasmus@lerdorf.com (Rasmus Lerdorf)

Michael Shadle wrote:
> On Thu, May 14, 2009 at 3:03 PM, Nathan Rixham <nrixham@gmail.com> wrote:
> 
>> bc? all the reasoning in the world won't justify it to 1 million businesses
>> running php 4 code which is reliant on $_REQUEST behind the scenes.
>>
>> although it would generate a tonne of freelance work :p
> 
> that code has to change for 5.3 or 6.0 anyway.
> 
> now is the time to yank out some of the legacy crap. we don't want PHP
> to be like windows, do we?

The more stuff like this we remove, the harder it becomes for people to
quickly move to newer, faster and more secure versions of PHP.  That
causes way more frustration for everyone than a few "ugly" legacy
features.  If there is a decent technical reason, performance or
security, then we need to take a hard look at it.  In this case, the
thing we should be looking at isn't whether we should remove $_REQUEST
but whether we should remove cookie data from it.  Many configurations
already do that, including all of my own, and there is a strong valid
security reason for not including cookies in $_REQUEST.  Most people use
$_REQUEST to mean GET or POST, not realizing that it could also contain
cookies and as such bad guys could potentially do some cookie injection
tricks and break naive applications.

-Rasmus