Page 1 of 1

quick question on $_REQUEST

Posted: Wed Mar 03, 2010 4:13 pm
by scarface222
Hey just a quick question for anyone that knows. I have a form with check boxes that corresponds to a list of images. The user can select multiple images to delete, or select one image to set as a user pic. I am however a little confused because I am trying to prevent the user from selecting multiple pictures to set as user pic so I tried to count the $_REQUEST variable sent from the form, but it seems to be a different number each time I use it. For example last time the count was 7 when selecting one input, now it is 8. The number raises when more selections are made, but the starting number seems to change and I do not know why. Is there a way to properly count the requests so I can just cancel the request if count is greater than 1? Appreciate any advice.

Code: Select all

 
<input type=\"submit\" id=\"loginbutton\" name=\"Set\" value=\"Set As Userpic\">
 
if(isset($_REQUEST['Set'])) {
     echo $count=count($_REQUEST);
}
 

Re: quick question on $_REQUEST

Posted: Wed Mar 03, 2010 5:43 pm
by flying_circus
$_REQUEST is a merge of $_GET, $_POST, and $_COOKIE in some order. If any of those values change, it may affect the count of $_REQUEST. The first step is to NEVER use $_REQUEST.

If you need to work with posted form data, use $_POST.
If you need to work with URL Querystring data, use $_GET.
If you need to access cookie data, use $_COOKIE.


NEVER use $_REQUEST. Know where your data is coming from.

Re: quick question on $_REQUEST

Posted: Wed Mar 03, 2010 6:21 pm
by scarface222
I appreciate the response and the information is good to know, but I am working with check-boxes, and I cannot count the amount of selected check-boxes without $_REQUEST, do you have any suggestions? I am currently using a for each statement which works fine along with $_REQUEST for the delete button, but as far as preventing multiple selections of check boxes for the set as userpic, I am not so sure.

Re: quick question on $_REQUEST

Posted: Wed Mar 03, 2010 6:39 pm
by scarface222
never mind I just deleted the count, if someone selects multiple pics, only one will be there pic anyway. Would just be nice to know a way. Thanks for explaining to me though man, appreciate it.

Re: quick question on $_REQUEST

Posted: Wed Mar 03, 2010 7:01 pm
by requinix
flying_circus wrote:The first step is to NEVER use $_REQUEST.
I'm not such a hater. I would say "NEVER use $_REQUEST unless a) you actually want to check GET, POST, or COOKIE, and b) you know for sure which order the variables come in".

count($_REQUEST) will give a count of all the fields submitted through the form and the URL. Everything.
I suspect you do something with your checkboxes like

Code: Select all

<input type="checkbox" name="checkbox1" />
<input type="checkbox" name="checkbox2" />
<input type="checkbox" name="checkbox3" />
That's the wrong way of doing it.

Code: Select all

<input type="checkbox" name="checkbox[]" />
<input type="checkbox" name="checkbox[]" />
<input type="checkbox" name="checkbox[]" />
This way, $_POST["checkbox"] will be an array, and you can use count($_POST["checkbox"]) to see how many were checked.

Re: quick question on $_REQUEST

Posted: Wed Mar 03, 2010 7:24 pm
by scarface222
That is really great to know, I thought never use $_REQUEST was a little strong as well, sometimes you do actually need it. I was indeed doing all my forms like that, and when I need to make a count, it makes it impossible. Anyway, I really appreciate it man.

Re: quick question on $_REQUEST

Posted: Thu Mar 04, 2010 1:19 am
by flying_circus
tasairis wrote:
flying_circus wrote:The first step is to NEVER use $_REQUEST.
I'm not such a hater. I would say "NEVER use $_REQUEST unless a) you actually want to check GET, POST, or COOKIE, and b) you know for sure which order the variables come in".
Yes, I am a hater, and I fail to see the benefit of using $_REQUEST, especially if we host the application on a server in which we can't control the configuration (and/or change of configuration).

Let's say we have a html form like this:

Code: Select all

<html>
  <head>
    <title>Test</title>
  </head>
  <body>
    <form action="test.php" method="post">
    <input type="checkbox" name="checkbox[]" />
    <input type="checkbox" name="checkbox[]" />
    <input type="checkbox" name="checkbox[]" />
    <input type="checkbox" name="checkbox[]" />
    <input type="checkbox" name="checkbox[]" />
    <br />
    <input type="submit" />
    </form>
  </body>
</html>
Let us also say that I want to fool your $_REQUEST count. So I click 1 checkbox on the page and then I modify the URI to:

Code: Select all

test.php?checkbox%5B%5D=on&checkbox%5B%5D=on
We then run our check:

Code: Select all

<?php
  if(isset($_REQUEST['checkbox']))
    print "Request Count: " . count($_REQUEST['checkbox']) . "<br />";
  
  if(isset($_POST['checkbox']))
    print "Post Count: " . count($_POST['checkbox']) . "<br />";
?>
The output is:

Code: Select all

Request Count: 2
Post Count: 1
In this specific example it may not make a difference, but what if we are manipulating an action or other poorly implemented hidden form data? We can easily modify a cookie, which by default, has highest priority.

I think it is fair to state that the majority of code posted in this specific forum, is code posted by people newer to PHP. To promote the use of $_REQUEST is a disservice as I feel it promotes lazy coders and poor code. Many people, much smarter than me, who are accomplished security experts and have written texts on the subject, tend to agree.

I stand by my claim, never use $_REQUEST, as it can be misconstrued to push data to the server, which is in violation of RFC 2616, Section 9.1.1:
In particular, the convention has been established that the GET and HEAD methods SHOULD NOT have the significance of taking an action other than retrieval. These methods ought to be considered "safe". This allows user agents to represent other methods, such as POST, PUT and DELETE, in a special way, so that the user is made aware of the fact that a possibly unsafe action is being requested.
I don't mean to be a negative nancy, or blunt. I just see the use of the $_REQUEST superglobal in code samples in this forum far too frequently. :(