So, I have a script that needs to get an item id, via GET or POST:
You want me to:
Code: Select all
if (isset($_POST['id'])) {
$nId = intval($_POST['id'])
} else {
if (isset($_GET['id'])) {
$nId = intval($_GET['id'])
} else {
$nId = 0; //default
}
}
While I would:
Code: Select all
if (isset($_REQUEST['id'])) {
$nId = intval($_REQUEST['id'])
} else {
$nId = 0; //default
}
Moreover, in my actual scripts I use a function (simplified) GetInt($variable, $nDefault) like this:
Code: Select all
$nId = GetInt($_REQUEST['id'], 0);
Which you advise me to use as:
Code: Select all
$nId = GetInt($_POST['id'], GetInt($_GET['id'], 0));
True, $_REQUEST may also contain data from other sources, but I
usually don't care, and treat them equally (i.e. any unsecure handling I'd do with $_REQUEST, I would have also done with $_GET and $_POST). The only place I actually use $_POST exclusively is in my login system, and it is to protect the user from the side effects of having his password visible in the url. It would not make my script any more insecure had I used $_REQUEST.
So I have good reasons to use $_REQUEST (smaller and more readable code, and some features of my other "library" functions) and I don't have a bad reason not to use it. I would gladly revise my oppinion if I see a viable scenario when using $_REQUEST brings any harm, so I leave the burden of proof to you guys,
Everah, onion2k, stereofrog.