[wp-trac] Re: [WordPress Trac] #8814: Bad use of $_REQUEST variable
in wordpress
WordPress Trac
wp-trac at lists.automattic.com
Thu Jan 8 14:45:32 GMT 2009
#8814: Bad use of $_REQUEST variable in wordpress
--------------------------------------+-------------------------------------
Reporter: firstbit | Owner: ryan
Type: defect (bug) | Status: new
Priority: normal | Milestone: 2.8
Component: Security | Version: 2.8
Severity: normal | Resolution:
Keywords: needs-patch dev-feedback |
--------------------------------------+-------------------------------------
Changes (by DD32):
* keywords: => needs-patch dev-feedback
* priority: high => normal
* version: => 2.8
Comment:
See also: http://www.suspekt.org/2008/10/01/php-53-and-delayed-cross-site-
request-forgerieshijacking/
I'd nearly suggest something similar to {{{{wp_unregister_GLOBALS()}}}
which only populatd it with GET/POST/SERVER data.. and ignored cookie
data.. just for the simplicity which $_REQUEST brings, In quite a lot of
places the reason $_REQUEST is used is because the data could come from
either GET or POST, and we'd end up with things such as:
{{{
$action = isset($_GET['action']) ? $_GET['action'] :
(isset($_POST['action']) ? $_POST['action'] : '');
}}}
which is ok, but.. it gets a bit tedious, and is near impossible to use
in-line.. I know if i was to suggest that there'd be a whole lot of
negitive to that i'm sure :)
--
Ticket URL: <http://trac.wordpress.org/ticket/8814#comment:3>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list