On Fri, May 15, 2009 at 10:32, Lukas Kahwe Smith <m...@pooteeweet.org> wrote: > > On 15.05.2009, at 10:22, Rasmus Lerdorf wrote: > >> Michael Shadle wrote: >>> >>> On Thu, May 14, 2009 at 3:03 PM, Nathan Rixham <nrix...@gmail.com> wrote: >>> >>>> bc? all the reasoning in the world won't justify it to 1 million >>>> businesses >>>> running php 4 code which is reliant on $_REQUEST behind the scenes. >>>> >>>> although it would generate a tonne of freelance work :p >>> >>> that code has to change for 5.3 or 6.0 anyway. >>> >>> now is the time to yank out some of the legacy crap. we don't want PHP >>> to be like windows, do we? >> >> The more stuff like this we remove, the harder it becomes for people to >> quickly move to newer, faster and more secure versions of PHP. That >> causes way more frustration for everyone than a few "ugly" legacy >> features. If there is a decent technical reason, performance or >> security, then we need to take a hard look at it. In this case, the >> thing we should be looking at isn't whether we should remove $_REQUEST >> but whether we should remove cookie data from it. Many configurations >> already do that, including all of my own, and there is a strong valid >> security reason for not including cookies in $_REQUEST. Most people use >> $_REQUEST to mean GET or POST, not realizing that it could also contain >> cookies and as such bad guys could potentially do some cookie injection >> tricks and break naive applications. > > > Its already fixed in 5.3. There is a new ini option that defines what should > go into $_REQUEST. See the following blog post for details:
And simplified version in the docs http://php.net/request_order -Hannes -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
