Imagine you’re a rat in a scientific lab. There are two doors leading into your cage, one red, one blue. Every morning, the red door opens, and a bit of cheese tumbles in. Sometimes you can eat the cheese, and all is well. Other times, there’s a long silver thing stuck in it. You find that if you eat the cheese where it lies on the metal cage floor, it makes your tongue hurt, your paw jump, and gives you a very bad headache. But if you push the cheese over to the pile of wood shavings where you sleep, you can eat it without difficulty. Sometimes the silver thing is very thin and hard to see, so you make it a habit to only trust in the safety of the wood pile.
Every once in a while, the blue door opens instead of the red one. The cheese that comes through looks, smells, and tastes exactly the same as that from the red door, except it almost always has that silver thing attached.
One day, you wake to find that another rat has been placed in your cage. This rat is older; the streaks of gray in his fur color him dignified, while the scars and the twitch in his right front paw tell the sad tale of all experienced lab rats.
This same morning, it is the blue door that opens. You hop up, push the cheese into the pile of shavings, and start to nibble away as usual. Then you notice the older rat peering disdainfully over his whiskers at you.
“I’m sorry, where are my manners? Won’t you have some?” you offer.
“Of course not,” he replies. “I never eat anything that came through the blue door.”
“Why not?” you wonder.
“If it didn’t come through the red door, then you don’t know where it’s been. Throw it away before you get hurt,” he instructs.
“But I don’t know where it’s been before it comes through the red door either,” you protest.
Nevertheless, he takes your cheese and hurls it out through the bars of the cage, then settles back into the pile of wood shavings, nodding contentedly to himself.
The next day, it’s the blue door again. Your companion huffs as you enthusiastically dig in. The day after is the same, and several days after that. The other rat is growing thinner and looking older, but he still refuses to eat anything that doesn’t come from the red door – and those bits that do are all a tangle of silver with hardly any cheese at all.
As long as you filter and escape user data, does it make a difference whether it came from $_GET or $_POST? So what’s wrong with $_REQUEST?
It depends on the security of your application.
If you only use POST, and care, for a given form, it makes sense to never use REQUEST.
Not that it’s hard to fake a post…
But GET’s are by definition supposed to be idemptipotent (ie, do nothing different if shown once or 100 times), while POSTs are not. So robots follow posts, but search engines don’t do GET, et cetera. So there’s that too.
Comment by Shannon — July 12, 2006 @ 4:50 pm
Shannon, I think you switched your words… robots should follow GET, not POST, because a GET is supposed to be idempotent.
This brings up a pet peeve… all the ASP.NET websites that use doPostBack() javascript navigation for things that do NOT make any changes to the state of the universe. In other words, should be links, not postbacks.
Comment by Xaprb — August 11, 2006 @ 1:17 am