Page 4 of 4

Re: Something good written with the Zend Framework

Posted: Sat Nov 28, 2009 2:10 pm
by Christopher
PCSpectra wrote:Arborint, do you still feel this way, years later?
Yes, but I think it is more of a style issue than substance.

Re: Something good written with the Zend Framework

Posted: Sat Nov 28, 2009 3:14 pm
by alex.barylski
I have thought about this for a while now and I think I have myself more confused than before...

How does forcing the request object to return only GET or POST data (based on the actual request method (GET or POST) enhance security? I suppose I like the explicit-ness of it but does it really matter where the data comes from when using $_REQUEST as a array as opposed to GET or POST explcitly?

Iinitially I thought it might prevent CSRF but after some more thought I don't think this is the case, is it???

Cheers,
Alex

Re: Something good written with the Zend Framework

Posted: Sat Nov 28, 2009 3:56 pm
by Christopher
The problem with $_REQUEST is that data expected from one source could be overwritten by another. A request object that provides data from the appropriate array based on the request type is a different thing. You should still do isPost/isGet checks as necessary, and more importantly filter and escape incoming data.

Re: Something good written with the Zend Framework

Posted: Sat Nov 28, 2009 11:45 pm
by josh
The reason you have a request object is specifically so you de-couple from super globals. Later on you could subclass the request object for testing. You could subclass the request object to return named CLI arguments (I think this is already in the Zend "core" actually). You could even get clever and sub-class the request object on a per-module basis, using it like a value object to remove "feature envy"