Use of $ REQUEST instead of $ GET, POST POST and COOKIE COOKIE

In PHP we have the global variable available $_REQUEST which can be used instead of using global variables individually $_GET, $_POST e $_COOKIE.

For example: 

<?php
// utilizar
$bubu = $_REQUEST['bubu'];

// ou uma das três em baixo consoante a localização:

// se via GET
$bubu = $_GET['bubu'];

// se via POST
$bubu = $_POST['bubu'];

// se num Cookie
$bubu = $_COOKIE['bubu'];
?>

Taking into account the reading of the code and its efficiency, the use of the variable $_REQUEST brings more value compared to a more specific use through the other three variables indicated or by using $_REQUEST it would be complicate?

Author: gmsantos, 2014-10-16
Source

2 answers

Depends on the trust you have in the data coming from the customer. If you are sure that there is no repeated key, that is, there is no simultaneous sending of $_GET['bubu'], $_POST['bubu'], $_COOKIE['bubu'] I don't see any problem using $_REQUEST.

Now if there is repetition of any key the following will happen: 

<?php

setcookie("search","valueA")

?>
<!DOCTYPE HTML>
<html lang="">
<head>
    <meta http-equiv='X-UA-Compatible' content='IE=9'>
    <meta charset="UTF-8">
    <title></title>
</head>
<body>
<?php
echo "GET =" .$_GET['search'] . "<br>";
echo "COOKIE =".$_COOKIE['search']. "<br>";
echo "REQUEST =" .$_REQUEST['search']. "<br>";
?>
</body>
</html>

For url 

exemplo.com/index.php?search=valueB

Will have the following values 

GET =valueB
COOKIE =valueA
REQUEST =valueB

This depends on the order defined by php's "variables_order" directive.ini defining order by which the order of the prase of variables

Http://php.net/manual/en/ini.core.php#ini.variables-order

 8
Author: Manuel Gerardo Pereira, 2018-09-19 16:07:48

TL: DR

In efficiency issues, there is no gain for PHP by accessing one variable or another, but its use can generate unexpected results.

The harms of using $_REQUEST is to always use $_REQUEST for any situation. When we do not use the global variable specific to what we want, we are instructing our program to ask for "Vodka or coconut water, whatever"1 accept any type of user input ¹ the which may not be suitable in all cases.

When using $_REQUEST PHP prioritizes the precedence of global variables according to the configuration variables_order. By default it obeys the sequence EGPCS (Environment, Get, Post, Cookie, and Server).

The user can then easily skip some validation step of their system. A common example we can find is with the use of input hidden in a Form: 

<form action="my/update/page" method="POST" onsubmit="doSomeJs()">
    <input type="hidden" name="id" value="5">
    <!-- o resto do form -->
</form>

The user can simply send the id in this way my/update/page?id=1, thus sending a different parameter.

Of course, it is possible to forge a HTTP request with modified POST, but from GET it would be simpler for the ordinary user.

The misuse of $_REQUEST is in my view a security breach, not with as much impact as in the Times of register_global, but it is still a breach that can be exploited.

From the point of view of reading the code, it becomes more difficult to identify the source of the information using $_REQUEST: 

<?php

// Sem Request

$paginaOrigem       = $_GET['paginaOrigem'];
$id                 = $_POST['id'];
$nome               = $_POST['nome'];
$endereco           = $_POST['endereco'];
$dataUltimoAcesso   = $_COOKIE['ultimoAcesso'];

// Com Request

$paginaOrigem       = $_REQUEST['paginaOrigem'];
$id                 = $_REQUEST['id'];
$nome               = $_REQUEST['nome'];
$endereco           = $_REQUEST['endereco'];
$dataUltimoAcesso   = $_REQUEST['ultimoAcesso'];

Conclusion

Think twice before using $_REQUEST, and use only when necessary.

1 reference to a popular Brazilian Music

 6
Author: gmsantos, 2014-12-09 11:31:27