Use of $ REQUEST instead of $ GET, POST POST and COOKIE COOKIE
In PHP we have the global variable available $_REQUEST
which can be used instead of using global variables individually $_GET
, $_POST
e $_COOKIE
.
For example:
<?php
// utilizar
$bubu = $_REQUEST['bubu'];
// ou uma das três em baixo consoante a localização:
// se via GET
$bubu = $_GET['bubu'];
// se via POST
$bubu = $_POST['bubu'];
// se num Cookie
$bubu = $_COOKIE['bubu'];
?>
Taking into account the reading of the code and its efficiency, the use of the variable $_REQUEST
brings more value compared to a more specific use through the other three variables indicated or by using $_REQUEST
it would be complicate?
2 answers
Depends on the trust you have in the data coming from the customer.
If you are sure that there is no repeated key, that is, there is no simultaneous sending of $_GET['bubu']
, $_POST['bubu']
, $_COOKIE['bubu']
I don't see any problem using $_REQUEST
.
Now if there is repetition of any key the following will happen:
<?php
setcookie("search","valueA")
?>
<!DOCTYPE HTML>
<html lang="">
<head>
<meta http-equiv='X-UA-Compatible' content='IE=9'>
<meta charset="UTF-8">
<title></title>
</head>
<body>
<?php
echo "GET =" .$_GET['search'] . "<br>";
echo "COOKIE =".$_COOKIE['search']. "<br>";
echo "REQUEST =" .$_REQUEST['search']. "<br>";
?>
</body>
</html>
For url
exemplo.com/index.php?search=valueB
Will have the following values
GET =valueB
COOKIE =valueA
REQUEST =valueB
This depends on the order defined by php's "variables_order" directive.ini defining order by which the order of the prase of variables
TL: DR
In efficiency issues, there is no gain for PHP by accessing one variable or another, but its use can generate unexpected results.
The harms of using $_REQUEST
is to always use $_REQUEST
for any situation. When we do not use the global variable specific to what we want, we are instructing our program to ask for "Vodka or coconut water, whatever"1 accept any type of user input ¹ the which may not be suitable in all cases.
When using $_REQUEST
PHP prioritizes the precedence of global variables according to the configuration variables_order
. By default it obeys the sequence EGPCS
(Environment, Get, Post, Cookie, and Server).
The user can then easily skip some validation step of their system. A common example we can find is with the use of input hidden
in a Form:
<form action="my/update/page" method="POST" onsubmit="doSomeJs()">
<input type="hidden" name="id" value="5">
<!-- o resto do form -->
</form>
The user can simply send the id
in this way my/update/page?id=1
, thus sending a different parameter.
Of course, it is possible to forge a HTTP
request with modified POST
, but from GET
it would be simpler for the ordinary user.
The misuse of $_REQUEST
is in my view a security breach, not with as much impact as in the Times of register_global
, but it is still a breach that can be exploited.
From the point of view of reading the code, it becomes more difficult to identify the source of the information using $_REQUEST
:
<?php
// Sem Request
$paginaOrigem = $_GET['paginaOrigem'];
$id = $_POST['id'];
$nome = $_POST['nome'];
$endereco = $_POST['endereco'];
$dataUltimoAcesso = $_COOKIE['ultimoAcesso'];
// Com Request
$paginaOrigem = $_REQUEST['paginaOrigem'];
$id = $_REQUEST['id'];
$nome = $_REQUEST['nome'];
$endereco = $_REQUEST['endereco'];
$dataUltimoAcesso = $_REQUEST['ultimoAcesso'];
Conclusion
Think twice before using $_REQUEST
, and use only when necessary.
1 reference to a popular Brazilian Music