"Although PHP 5.3 is still in alpha stage and certain features like
the PHAR extension or the whole namespace support are still topics of
endless discussions it already contains smaller changes that could
improve the security of PHP applications a lot.
One of these small changes is the introduction of a new php ini
directive called request_order. request_order is the response of the
PHP developers to me preaching for years that using $_REQUEST is not
only deprecated but actually dangerous for PHP applications. With
request_order it is now possible to control in what order $_REQUEST is
created and what variable sources are taken into account. This finally
allows removing cookie data from $_REQUEST without removing them from
$_COOKIE also.
Because removing cookies from $_REQUEST might break badly written
software request_order is not set by default. However the recommended
setting by the PHP developer is to set it to “GP” which means only
$_GET and _POST data is merged into $_REQUEST with $_POST data
overwriting $_GET data.
To learn why using $_REQUEST is a bad idea and what Delayed Cross Site Request Forgeries/Hijacking are continue reading…"
Read more: http://www.suspekt.org/2008/10/01/php-53-and-delayed-cross-site-request-forgerieshijacking/
