On Thu, Dec 16, 2010 at 3:18 PM, Matthew Weier O'Phinney <weierophin...@php.net> wrote: > On 2010-12-16, Pierre Joye <pierre....@gmail.com> wrote: >> There are a lot of values to disable POST completely. That's also why >> thinking the option you are proposing while keeping in mind the whole >> picture makes sense. >> >> There are different existing modes and one or two new modes (to be >> introduced, like disabling POST). Having a clean way to choose which >> mode should be used for a request makes sense and will improve the >> user experience. Right now and as shown the confusing discussions on >> IRC (or partially here) shows that the current situation is a mess. >> >> Again, I'm not saying that the idea behind this patch is bad, only >> that there is a better way to do it while being less confusing and >> making the whole thing cleaner to define. > > Seriously, disabling POST via a php.ini setting is considered a > "sensible" option? Has nobody ever developed a RESTful application?
No comment. > The only way I can see such an action being "sensible" is if it's also > runtime configurable (i.e., via ini_set()) - otherwise I foresee a ton > of issues between security-paranoid sysadmins and developers when code > is pushed to production and simply stops working... > > I understand the rationale behind Pierre's assertion, but it's > incredibly short-sighted when you consider a full application, where > some actions need to accept raw POST/PUT data (man, would I love a $_PUT > superglobal...), others need to accept file uploads, and most others > need neither. I never said it should be a php.ini option, or only a php.ini option. But having 300 ways to do the same things, or to change options is bad. You should also keep in mind that even if it is a php.ini option, it should obviously be INI_PER_DIR and not system wild (that's what servers options exist, or better appropriate there if one wants to disable POST permanently and for all requests/URLs). All in all, I don't think adding a set of new ini settings for very specific and disputable features is not something good to do. If we need something to process file uploads more efficiently, then let do it in a good way (no, processing php://input manually is not what I can consider as a good way :). Cheers, -- Pierre @pierrejoye | http://blog.thepimp.net | http://www.libgd.org -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
