I'm currently looking at options for security on the site I am currently planning. Using the PHP configuration file it is possible to "turn off" the PHP feature which converts every posted or getted variable into a standard variable available to the script. You can then access these variables using the $HTTP_POST_VARS and $HTTP_GET_VARS global arrays. Obviously this tightens up security a huge deal as people can't feed dummy values to your scripts, however it also adds more work when writing scripts.
Is it worthwhile implementing this as a security measure?
Skunk - completely off the topic. But can you please contact me via pm or email. And perhaps read your personal messages?!?
I question whether this really tightens up security at all. Firstly, get variables are passed in the URL string. So whether you access them using the $HTTP_GET_VARS array or directly by their name doesn't change the fact that a user can try to crack your script by passing values in the URL.
Same thing for $HTTP_POST_VARS array. A user can still try to send a header with malicious intent. I can't see how it could make a difference.
Personally I would leave it as it is for simplicity.
Although, it's important that you write your scripts knowing that if you are accessing a variable that hasn't been set a value, then the value could be just about anything.
Of course all programmers know this, but in PHP it is easy to become complacent on relying on isset($value) to find out whether you have given a value to a variable.
If the variables you need to use are going to be important, such as when you are updating or inserting into a table, or accessing private records, you should validate the input values properly anyway.
So yeah, I don't think that kind of thing is necessary, as long as you follow good programming procedures. If it is for an application of utmost security, and you are not confident that your scripts have no security gaps, then you COULD start using the $HTTP_POST_VARS, etc.
Also, you could just as easily get unwanted values in HTTP_POST_VARS if you don't validate them as well, so it'd still be more work.