Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:58035
Return-Path: <larry@garfieldtech.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 56840 invoked from network); 24 Feb 2012 22:17:04 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 24 Feb 2012 22:17:04 -0000
Authentication-Results: pb1.pair.com smtp.mail=larry@garfieldtech.com; spf=permerror; sender-id=unknown
Authentication-Results: pb1.pair.com header.from=larry@garfieldtech.com; sender-id=unknown
Received-SPF: error (pb1.pair.com: domain garfieldtech.com from 66.111.4.29 cause and error)
X-PHP-List-Original-Sender: larry@garfieldtech.com
X-Host-Fingerprint: 66.111.4.29 out5-smtp.messagingengine.com  
Received: from [66.111.4.29] ([66.111.4.29:52763] helo=out5-smtp.messagingengine.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 1C/DE-17132-E5C084F4 for <internals@lists.php.net>; Fri, 24 Feb 2012 17:17:02 -0500
Received: from compute3.internal (compute3.nyi.mail.srv.osa [10.202.2.43])
	by gateway1.nyi.mail.srv.osa (Postfix) with ESMTP id 417CA20DFF
	for <internals@lists.php.net>; Fri, 24 Feb 2012 17:17:00 -0500 (EST)
Received: from frontend2.nyi.mail.srv.osa ([10.202.2.161])
  by compute3.internal (MEProxy); Fri, 24 Feb 2012 17:17:00 -0500
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=
	messagingengine.com; h=message-id:date:from:mime-version:to
	:subject:references:in-reply-to:content-type
	:content-transfer-encoding; s=smtpout; bh=rkzjBZIUQwb76de1sx+Iwq
	Yti2Q=; b=jbT03MY/WTt87Hn+PKj6rLSFZMPvnhJTVIWdQJ9aig6XV8gNqS9NPa
	ItYVA4H9/I87sWYpktNk9L2OBSspwmS++lyzpctEATcnrvdH9/hjomRyAFegnrQJ
	dTTOl4sZ9H8TA6SmOlslY7QxHP/KYuNfSyIiG0ILdsM2oiM1sXiiY=
X-Sasl-enc: e4MhXcobeWIwdBFeWl1/eE0r6u7RNzGIYu4KhEPig0rG 1330121820
Received: from garfield.ad.palantir.net (unknown [209.41.114.202])
	by mail.messagingengine.com (Postfix) with ESMTPSA id 105094825CC
	for <internals@lists.php.net>; Fri, 24 Feb 2012 17:16:59 -0500 (EST)
Message-ID: <4F480C5B.30606@garfieldtech.com>
Date: Fri, 24 Feb 2012 16:16:59 -0600
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:10.0.2) Gecko/20120216 Thunderbird/10.0.2
MIME-Version: 1.0
To: internals@lists.php.net
References: <CAGovj_PbjoB78kXvZcaSkx3qQziMXX7ezVmzYSPHQbJL7uu7VA@mail.gmail.com>    <8D8E9A0839FE464FBBDF2B499DAFA596@gmail.com>    <CAGovj_OA29qv0MvpFwaT6EF4h_+CYuirNY8nLBaqGurkdO3Afw@mail.gmail.com> <88ad33db205558862288b3114ef4c391.squirrel@www.l-i-e.com>
In-Reply-To: <88ad33db205558862288b3114ef4c391.squirrel@www.l-i-e.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: [PHP-DEV] $_PARAMETERS Super Global Object
From: larry@garfieldtech.com (Larry Garfield)

On 2/24/12 3:28 PM, Richard Lynch wrote:
> On Wed, February 22, 2012 9:10 am, Michael Morris wrote:
>> $_REQUEST does nothing of the sort, and it's use is dangerous in
>> RESTful architecture.  $_REQUEST is a smash together of $_GET, $_POST
>> and $_COOKIE, in that order but the php.ini directive can change it.
>> Hence there's no way of knowing if $_REQUEST['password'] came from
>> $_COOKIE, $_POST, or $_GET, and worse, if two values in those source
>> arrays have the same key $_REQUEST will overwrite them.  $_REQUEST to
>> be honest, is a lame shortcut and bad idea almost on par with
>> register_globals.
>
> Given that all three of $_GET $_POST and $_COOKIE are equally suspect
> from a security POV, and you shouldn't really *care* which way the
> client delivered the value, or at least not rely on it for anything
> useful, I've never understood the resistance to using $_REQUEST.
>
> Yes, GET should be idempotent, but there are many APIs and functions
> in a large app that are idempotent by nature, and having a REST that
> just doesn't care how the data comes in allows the consumer of the
> service to use whatever they prefer.
>
> If your entire REST service is read-only, such as an RSS feed, why not
> allow GET or POST (or, silly as it may be COOKIE) and just use
> $_REQUEST.

Because GET and POST are not even remotely the same thing and treating 
them as completely interchangeable is a bug in the first place.  It is 
in fact legal to have both in the same request.  Then what do you do?

The idea of having a real request object in PHP is a good one; however, 
a superglobal is not it.  Making it a superglobal eliminates the value 
of a real request object, namely that you can encapsulate it, override 
it locally, pass it around, mock it for testing, etc. in a safe fashion. 
  A superglobal request object is a complete waste of time.

There are a number of existing request object libraries out there 
already.  PECL HTTP in C, both Zend and Symfony2 have their versions, 
etc.  Drupal is in the process of moving to Symfony's.  Any PHP-core 
request object (which in general I will agree is a good thing, and 
something sorely missing in the language today) should be based on one 
of those, where there's already existing work done to work out the 
kinks.  Simply throwing $_GET onto a property of a superglobal object 
does not accomplish anything useful.

--Larry Garfield