From 0724a1791bcc9adfd4e0fae23ab5c4f6c3ac88e4 Mon Sep 17 00:00:00 2001
From: Derick Rethans <derick@php.net>
Date: Tue, 22 Apr 2014 13:29:46 +0000
Subject: [PATCH] Mention that this is also true for POST (from a note by Mark
 Coudill).

git-svn-id: https://svn.php.net/repository/phpdoc/en/trunk@333406 c90b9560-bf6c-de11-be94-00142212c4b1
---
 reference/mongo/security.xml | 13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)

diff --git a/reference/mongo/security.xml b/reference/mongo/security.xml
index 6f16d6fad0..2c4e40427b 100644
--- a/reference/mongo/security.xml
+++ b/reference/mongo/security.xml
@@ -7,9 +7,10 @@
  <section>
   <title>Request Injection Attacks</title>
   <para>
-   If you are passing <literal>$_GET</literal> parameters to your queries, make
-   sure that they are cast to strings first.  Users can insert associative
-   arrays in GET requests, which could then become unwanted $-queries.
+   If you are passing <literal>$_GET</literal> (or <literal>$_POST</literal>)
+   parameters to your queries, make sure that they are cast to strings first.
+   Users can insert associative arrays in GET and POST requests, which could
+   then become unwanted $-queries.
   </para>
 
   <para>
@@ -28,9 +29,9 @@
   </para>
 
   <para>
-   This is a fairly easy attack to defend against: make sure $_GET's parameters
-   are the type you expect before you send them to the database (cast them to
-   strings, in this case).
+   This is a fairly easy attack to defend against: make sure $_GET and $_POST
+   parameters are the type you expect before you send them to the database
+   (cast them to strings, in this case).
   </para>
 
   <para>