TL:DR
In efficiency issues, there is no gain for PHP when accessing one variable or another, but its use can generate unexpected results.
The harm in using the $_REQUEST
always use the $_REQUEST
for any situation. When we don’t use the specific global variable for what we want, we are instructing our program to "Vodka or Coconut Water, I don’t care"¹ accept any type of user input, which may not be suitable in all cases.
When we use the $_REQUEST
PHP prioritizes the precedence of global variables according to configuration variables_order
. By default he obeys the sequence EGPCS
(Environment, Get, Post, Cookie, and Server).
The user can then easily skip some validation step of their system. A common example we can find is with the use of input hidden
on a form:
<form action="my/update/page" method="POST" onsubmit="doSomeJs()">
<input type="hidden" name="id" value="5">
<!-- o resto do form -->
</form>
The user can simply send the id
thus my/update/page?id=1
, thus sending a different parameter.
Of course, it is possible to forge a requisition HTTP
with POST
modified, but from the GET
would be simpler for the average user.
Misuse of the $_REQUEST
is in my view a security breach, not as big an impact as in the times of register_global
, but it’s still a loophole that can be exploited.
From the point of view of reading the code, it is more difficult to identify the origin of the information using $_REQUEST
:
<?php
// Sem Request
$paginaOrigem = $_GET['paginaOrigem'];
$id = $_POST['id'];
$nome = $_POST['nome'];
$endereco = $_POST['endereco'];
$dataUltimoAcesso = $_COOKIE['ultimoAcesso'];
// Com Request
$paginaOrigem = $_REQUEST['paginaOrigem'];
$id = $_REQUEST['id'];
$nome = $_REQUEST['nome'];
$endereco = $_REQUEST['endereco'];
$dataUltimoAcesso = $_REQUEST['ultimoAcesso'];
Completion
Think twice before using the $_REQUEST
, and use only when necessary.
¹ Reference to a popular brazilian music
Adding: Never trust the data a customer can pass on, because you never have control over it. Better to wait for something more specific than to risk making a mistake with something more general.
– Eitch