I've seen some software(including major ones) that use the $_REQUEST superglobal. And indeed I've heard that something is wrong with this superglobal. Am I correct that it merges $_COOKIE, $_POST, ang $_GET? Shouldn't it be very efficient this way, actually helping you avoid typing many (well, 3) variable names?
What's the matter, then?
The $_REQUEST superglobal - something wrong?
Moderator: General Moderators
-
Charles256
- DevNet Resident
- Posts: 1375
- Joined: Fri Sep 16, 2005 9:06 pm
- Christopher
- Site Administrator
- Posts: 13596
- Joined: Wed Aug 25, 2004 7:54 pm
- Location: New York, NY, US
feyd is exactly right about the reason why you might not want to use $_REQUEST. For example in the following code, the value for "param" in $_REQUEST would be determined by the GPC setting in php.ini. Admittedly, it is probably pretty rare that you would create code like that, but it is a issue for those who want to build cross-platform applications, frameworks, etc. A bigger question is: do you want get, post and cookie data mixed?
Here is an example of a Request class. It attempts to "level the playing field" regarding magic quotes and the request method.
Code: Select all
<form action="index.php?param=foo" method="post">
<input type="hidden" name="param" value="bar">Here is an example of a Request class. It attempts to "level the playing field" regarding magic quotes and the request method.
Code: Select all
class Request {
var $data;
var $is_post = false;
function Request() {
if (get_magic_quotes_gpc()) {
$this->removeSlashes($_GET);
$this->removeSlashes($_POST);
$this->removeSlashes($_COOKIE);
}
if (!strcasecmp($_SERVER['REQUEST_METHOD'], 'POST')) {
$this->data =& $_POST;
$this->is_post = true;
} else {
$this->data =& $_GET;
}
if (isset($_SERVER['PATH_INFO'])) {
$this->data['PATH_INFO'] = trim($_SERVER['PATH_INFO'], '/');
}
}
function get($name) {
if (isset($this->data[$name]) {
return($this->data[$name]);
}
}
function set($name, $value) {
$this->data[$name] = $value;
}
function has($name) {
return(isset($this->data[$name]);
}
function removeSlashes(&$var) {
if (is_array($var)) {
foreach ($var as $name => $value) {
if (is_array($value)) {
$this->removeSlashes($value);
} else {
$var[$name] = stripslashes($value);
}
}
} else {
$var = stripslashes($var);
}
}
}(#10850)
I prefer to be specific when using input, thus if I want a GET var, I will use $_GET, etc. 
It can also make life a little easier for anyone wanting to find a loophole in your validation methods, even if the difference is negligible..
Let's say we have a form with this action and method:
Now, apart from the possibility of a collision (if an input field is named id as well) as already highlighted by Charles256, which could cause problems, it would also mean that a potential hacker wouldn't need to spoof the POST info, he would only need to spoof the GET info (or cookie, or POST and not get.. take your pick.)
typing /page.php?id=13&var=foo in the address bar is a little easier than spoofing post info.
Like I say though, this is a neglible difference, I just like to be as specific as possible to avoid any collisions
It can also make life a little easier for anyone wanting to find a loophole in your validation methods, even if the difference is negligible..
Let's say we have a form with this action and method:
Code: Select all
<form action="page.php?id=13" method="post">typing /page.php?id=13&var=foo in the address bar is a little easier than spoofing post info.
Like I say though, this is a neglible difference, I just like to be as specific as possible to avoid any collisions