Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:43975 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 12524 invoked from network); 15 May 2009 08:32:13 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 15 May 2009 08:32:13 -0000 Authentication-Results: pb1.pair.com smtp.mail=mls@pooteeweet.org; spf=permerror; sender-id=unknown Authentication-Results: pb1.pair.com header.from=mls@pooteeweet.org; sender-id=unknown Received-SPF: error (pb1.pair.com: domain pooteeweet.org from 88.198.8.16 cause and error) X-PHP-List-Original-Sender: mls@pooteeweet.org X-Host-Fingerprint: 88.198.8.16 bigtime.backendmedia.com Linux 2.6 Received: from [88.198.8.16] ([88.198.8.16:52703] helo=bigtime.backendmedia.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id E4/5D-27038-C882D0A4 for ; Fri, 15 May 2009 04:32:12 -0400 Received: from localhost (unknown [127.0.0.1]) by bigtime.backendmedia.com (Postfix) with ESMTP id 02E8D4144062; Fri, 15 May 2009 08:35:29 +0000 (UTC) X-Virus-Scanned: amavisd-new at backendmedia.com Received: from bigtime.backendmedia.com ([127.0.0.1]) by localhost (bigtime.backendmedia.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vGdtUq2r3yfj; Fri, 15 May 2009 10:35:28 +0200 (CEST) Received: from [192.168.0.151] (77-58-147-159.dclient.hispeed.ch [77.58.147.159]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: mls@pooteeweet.org) by bigtime.backendmedia.com (Postfix) with ESMTP id 7E1254144057; Fri, 15 May 2009 10:35:27 +0200 (CEST) Cc: Michael Shadle , Nathan Rixham , PHP Development Message-ID: To: Rasmus Lerdorf In-Reply-To: <4A0D2648.3050802@lerdorf.com> Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (Apple Message framework v935.3) Date: Fri, 15 May 2009 10:32:07 +0200 References: <4A0C9516.8060808@gmail.com> <4A0D2648.3050802@lerdorf.com> X-Mailer: Apple Mail (2.935.3) Subject: Re: [PHP-DEV] Re: Why does $_REQUEST exist? From: mls@pooteeweet.org (Lukas Kahwe Smith) On 15.05.2009, at 10:22, Rasmus Lerdorf wrote: > Michael Shadle wrote: >> On Thu, May 14, 2009 at 3:03 PM, Nathan Rixham >> wrote: >> >>> bc? all the reasoning in the world won't justify it to 1 million >>> businesses >>> running php 4 code which is reliant on $_REQUEST behind the scenes. >>> >>> although it would generate a tonne of freelance work :p >> >> that code has to change for 5.3 or 6.0 anyway. >> >> now is the time to yank out some of the legacy crap. we don't want >> PHP >> to be like windows, do we? > > The more stuff like this we remove, the harder it becomes for people > to > quickly move to newer, faster and more secure versions of PHP. That > causes way more frustration for everyone than a few "ugly" legacy > features. If there is a decent technical reason, performance or > security, then we need to take a hard look at it. In this case, the > thing we should be looking at isn't whether we should remove $_REQUEST > but whether we should remove cookie data from it. Many configurations > already do that, including all of my own, and there is a strong valid > security reason for not including cookies in $_REQUEST. Most people > use > $_REQUEST to mean GET or POST, not realizing that it could also > contain > cookies and as such bad guys could potentially do some cookie > injection > tricks and break naive applications. Its already fixed in 5.3. There is a new ini option that defines what should go into $_REQUEST. See the following blog post for details: http://www.suspekt.org/2008/10/01/php-53-and-delayed-cross-site-request-forgerieshijacking/ Also a lot of work was put into restructuring the php.ini files we ship with PHP. regards, Lukas Kahwe Smith mls@pooteeweet.org