Use of $_REQUEST instead of $_GET, $_POST and $_COOKIE

Asked

Viewed 13,586 times

17

In PHP we have available the global variable $_REQUEST which can be used instead of using the global variables individually $_GET, $_POST and $_COOKIE.

For example:

<?php
// utilizar
$bubu = $_REQUEST['bubu'];

// ou uma das três em baixo consoante a localização:

// se via GET
$bubu = $_GET['bubu'];

// se via POST
$bubu = $_POST['bubu'];

// se num Cookie
$bubu = $_COOKIE['bubu'];
?>

Taking into account the reading of the code and its efficiency, the use of the variable $_REQUEST brings more value compared to a more specific use through the other three variables indicated or when using $_REQUEST would be complicating?

2 answers

8

It depends on how much trust you have in the customer’s data. If you are sure that there is no repeated key, that is, there is no simultaneous sending of $_GET['bubu'], $_POST['bubu'], $_COOKIE['bubu'] I see no problem in using the $_REQUEST.

Now if there is any repetition of any key will happen the following:

<?php

setcookie("search","valueA")

?>
<!DOCTYPE HTML>
<html lang="">
<head>
    <meta http-equiv='X-UA-Compatible' content='IE=9'>
    <meta charset="UTF-8">
    <title></title>
</head>
<body>
<?php
echo "GET =" .$_GET['search'] . "<br>";
echo "COOKIE =".$_COOKIE['search']. "<br>";
echo "REQUEST =" .$_REQUEST['search']. "<br>";
?>
</body>
</html>

to the url

exemplo.com/index.php?search=valueB

will have the following values

GET =valueB
COOKIE =valueA
REQUEST =valueB

This depends on the order defined by the "variables_order" directive of php.ini that defines the order in which the order of the variable prase is made

http://php.net/manual/en/ini.core.php#ini.variables-order

  • 1

    Adding: Never trust the data a customer can pass on, because you never have control over it. Better to wait for something more specific than to risk making a mistake with something more general.

6

TL:DR

In efficiency issues, there is no gain for PHP when accessing one variable or another, but its use can generate unexpected results.


The harm in using the $_REQUEST always use the $_REQUEST for any situation. When we don’t use the specific global variable for what we want, we are instructing our program to "Vodka or Coconut Water, I don’t care"¹ accept any type of user input, which may not be suitable in all cases.

When we use the $_REQUEST PHP prioritizes the precedence of global variables according to configuration variables_order. By default he obeys the sequence EGPCS (Environment, Get, Post, Cookie, and Server).

The user can then easily skip some validation step of their system. A common example we can find is with the use of input hidden on a form:

<form action="my/update/page" method="POST" onsubmit="doSomeJs()">
    <input type="hidden" name="id" value="5">
    <!-- o resto do form -->
</form>

The user can simply send the id thus my/update/page?id=1, thus sending a different parameter.

Of course, it is possible to forge a requisition HTTP with POST modified, but from the GET would be simpler for the average user.

Misuse of the $_REQUEST is in my view a security breach, not as big an impact as in the times of register_global, but it’s still a loophole that can be exploited.

From the point of view of reading the code, it is more difficult to identify the origin of the information using $_REQUEST:

<?php

// Sem Request

$paginaOrigem       = $_GET['paginaOrigem'];
$id                 = $_POST['id'];
$nome               = $_POST['nome'];
$endereco           = $_POST['endereco'];
$dataUltimoAcesso   = $_COOKIE['ultimoAcesso'];

// Com Request

$paginaOrigem       = $_REQUEST['paginaOrigem'];
$id                 = $_REQUEST['id'];
$nome               = $_REQUEST['nome'];
$endereco           = $_REQUEST['endereco'];
$dataUltimoAcesso   = $_REQUEST['ultimoAcesso'];

Completion

Think twice before using the $_REQUEST, and use only when necessary.

¹ Reference to a popular brazilian music

Browser other questions tagged

You are not signed in. Login or sign up in order to post.