Using $ _REQUEST instead of $ _GET, $ _POST, and $ _COOKIE

17

In PHP we have the global variable $_REQUEST that can be used instead of use the global variables $_GET , $_POST and $_COOKIE .

For example:

<?php
// utilizar
$bubu = $_REQUEST['bubu'];

// ou uma das três em baixo consoante a localização:

// se via GET
$bubu = $_GET['bubu'];

// se via POST
$bubu = $_POST['bubu'];

// se num Cookie
$bubu = $_COOKIE['bubu'];
?>

Given the reading of the code and its efficiency, does the use of the variable $_REQUEST bring more value to a more specific use through the other three indicated variables or when using $_REQUEST would be complicated?

    
asked by anonymous 16.10.2014 / 12:43

2 answers

8

Depends on how much confidence you have in data coming from the customer. If you are sure that there is no duplicate key, ie there is no concurrent sending of $_GET['bubu'] , $_POST['bubu'] , $_COOKIE['bubu'] I do not see any problem using $_REQUEST .

Now if a key is repeated, the following will happen:

<?php

setcookie("search","valueA")

?>
<!DOCTYPE HTML>
<html lang="">
<head>
    <meta http-equiv='X-UA-Compatible' content='IE=9'>
    <meta charset="UTF-8">
    <title></title>
</head>
<body>
<?php
echo "GET =" .$_GET['search'] . "<br>";
echo "COOKIE =".$_COOKIE['search']. "<br>";
echo "REQUEST =" .$_REQUEST['search']. "<br>";
?>
</body>
</html>

for the url

exemplo.com/index.php?search=valueB

will have the following values

GET =valueB
COOKIE =valueA
REQUEST =valueB

This depends on the order defined by the php.ini directive "variables_order" that defines the order in which the prase order of the variables is made

link

    
16.10.2014 / 13:50
6

TL: DR

In efficiency issues, there is no gain for PHP when accessing one variable or another, but its use may yield unexpected results.

The bad things about using $_REQUEST is to always use $_REQUEST for any situation. When we do not use the specific global variable for what we want, we are instructing our program to strike for "Vodka or Coconut Water, for me it does" accept any kind of input from the user, which may not be suitable in all cases.

When we use $_REQUEST PHP prioritizes the precedence of global variables according to the configuration variables_order ". By default it obeys the EGPCS (Environment, Get, Post, Cookie, and Server) sequence.

The user can then easily skip some validation steps on their system. A common example we can find is with the use of input hidden in a form:

<form action="my/update/page" method="POST" onsubmit="doSomeJs()">
    <input type="hidden" name="id" value="5">
    <!-- o resto do form -->
</form>

The user can simply send id this way my/update/page?id=1 , thus sending a different parameter.

Of course, it is possible to forge a HTTP request with modified POST , but from GET would be simpler for the average user.

Misuse of $_REQUEST is in my view a security breach, not with as much impact as in register_global times, but it is still a breach that can be exploited.

From the point of view of reading the code, it is more difficult to identify the source of the information using $_REQUEST :

<?php

// Sem Request

$paginaOrigem       = $_GET['paginaOrigem'];
$id                 = $_POST['id'];
$nome               = $_POST['nome'];
$endereco           = $_POST['endereco'];
$dataUltimoAcesso   = $_COOKIE['ultimoAcesso'];

// Com Request

$paginaOrigem       = $_REQUEST['paginaOrigem'];
$id                 = $_REQUEST['id'];
$nome               = $_REQUEST['nome'];
$endereco           = $_REQUEST['endereco'];
$dataUltimoAcesso   = $_REQUEST['ultimoAcesso'];

Conclusion

Think twice before using $_REQUEST , and use only when needed.

¹ Reference to a Popular Brazilian Music

    
09.12.2014 / 12:19