Not turned on $_GET behaves the same. Turned on then $_GET would be filtered and you'd use a function call to get to the raw data. I don't see this as a problem and am not concerned about performance.
Andi
At 08:25 PM 2/1/2005 -0800, Rasmus Lerdorf wrote:
Ilia Alshanetsky wrote:Given that we'd always need to store the raw request data in memory, can we provide some mechanism of accessing it that does not require a function call? If working with integer or floating point based data it is much faster and simpler to just do (int)/(float) cast rather then executing function calls.
I suppose, but as far as I am concerned it should be the rare case where someone uses the raw data directly. All user input should be validated before being used. Unlike today where input validation is the rare case. If you have your own validation you want to do, then there should be a facility to pass a user function to the filter function.
A further question becomes what to do with Apache-populated variables. Things like $_SERVER['REQUEST_URI'] and $_SERVER['PATH_INFO'] could have nasty stuff in them. Filtering those as well isn't hard, of course.
Looking at my code here, it would actually be trivial to expose the raw data as superglobals, but what do we achieve then? We are simply renaming $_GET to $_GET_RAW or something like that? If you don't want any filtering to be done by default, simply don't turn it on.
-Rasmus
-- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
-- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
