TL: DR
In efficiency issues, there is no gain for PHP when accessing one variable or another, but its use may yield unexpected results.
The bad things about using $_REQUEST
is to always use $_REQUEST
for any situation. When we do not use the specific global variable for what we want, we are instructing our program to strike for "Vodka or Coconut Water, for me it does" accept any kind of input from the user, which may not be suitable in all cases.
When we use $_REQUEST
PHP prioritizes the precedence of global variables according to the configuration variables_order
". By default it obeys the EGPCS
(Environment, Get, Post, Cookie, and Server) sequence.
The user can then easily skip some validation steps on their system. A common example we can find is with the use of input hidden
in a form:
<form action="my/update/page" method="POST" onsubmit="doSomeJs()">
<input type="hidden" name="id" value="5">
<!-- o resto do form -->
</form>
The user can simply send id
this way my/update/page?id=1
, thus sending a different parameter.
Of course, it is possible to forge a HTTP
request with modified POST
, but from GET
would be simpler for the average user.
Misuse of $_REQUEST
is in my view a security breach, not with as much impact as in register_global
times, but it is still a breach that can be exploited.
From the point of view of reading the code, it is more difficult to identify the source of the information using $_REQUEST
:
<?php
// Sem Request
$paginaOrigem = $_GET['paginaOrigem'];
$id = $_POST['id'];
$nome = $_POST['nome'];
$endereco = $_POST['endereco'];
$dataUltimoAcesso = $_COOKIE['ultimoAcesso'];
// Com Request
$paginaOrigem = $_REQUEST['paginaOrigem'];
$id = $_REQUEST['id'];
$nome = $_REQUEST['nome'];
$endereco = $_REQUEST['endereco'];
$dataUltimoAcesso = $_REQUEST['ultimoAcesso'];
Conclusion
Think twice before using $_REQUEST
, and use only when needed.
¹ Reference to a Popular Brazilian Music