I’m currently using getenv() to get various variables, where I have issues is with getenv(‘PHP_AUTH_USER’).
Apparently this won’t work in PHP 5.1.15 and I have to use $_SERVER[‘PHP_AUTH_USER’] instead. If anyone knows why, please explain.
If it’s coming via the url then you should use $GET otherwise you should be using $POST. Also if you’ve got any code that uses the old mysql* extension, please be aware that the mysql* extension is now deprecated as of the current version of PHP and will very likely be removed from the next 5.x version and will likely not be in PHP 6.x (when it eventually is released). You should migrate over to either the mysqli_* extension or to PDO. PDO is a better choice as it doesn’t tie you down so much to a particular database server software.
Once you have migrated you should use Prepared Statements to prevent SQL Injection attacks. Have a read of this article from the PHP manual, it shows how to use prepared statements with PDO and also explains the principle.
The next version of PHP (according to this RFC) is set to be PHP 7 (though there have been recent talks of a PHP 5.7 before the next major version is released on the PHP@Internals mailing list).
I’m not entirely sure why that is, though why not use the data in the $_SERVER super global anyway? PHP automatically populates the $_SERVER array and makes it readily available wherever, so why have the extra overhead of a function call in your script?
The problem with $_REQUEST is that the cookies have precedence over the other (POST & GET). You accidentally set a cookie as the same name as another variable you use anywhere else in a post or a get, well that variable will always have the value of your cookie.
Not necessarily as you can change the order of precedence between the three but the fact that the value could be coming from any of the three where you almost certainly expect it to be provided via one specific way is enough of a reason not to use it.
Yep! But I guess most of the people using $_REQUEST don’t really know what they’re doing, so I guess they won’t change the order or even know that they can or know how it all works anyway. And, it’s probably not a good idea for security either. Being able to change POST values with GET… seems tricky.
Only most? As the advice being given ten years ago was to stop using $_REQUEST because it represents a probably security hole I’d say that anyone using it doesn’t really know what they are doing. Of course many newbies can be in that position until they learn better.
As ahundiak stated most frameworks abstract globals away to promote oop, facilitate testing, and ultimately improve upon the low level handling of things in the language itself that quite frankly… suck.