Page 1 of 1

The $_REQUEST superglobal - something wrong?

Posted: Tue Jan 24, 2006 9:19 am
by pilau
I've seen some software(including major ones) that use the $_REQUEST superglobal. And indeed I've heard that something is wrong with this superglobal. Am I correct that it merges $_COOKIE, $_POST, ang $_GET? Shouldn't it be very efficient this way, actually helping you avoid typing many (well, 3) variable names?
What's the matter, then?

Posted: Tue Jan 24, 2006 9:26 am
by feyd
The problems can come from the order (which is set in the ini) in which they are combined, along with overwriting other incoming values. Therefore it can be suggested that you create your own version, in the order you want and with the overwriting permission filtering you want..

Posted: Tue Jan 24, 2006 9:26 am
by Charles256
I don't much care for it but that's because I had a bug where a POST and a GET variable got mixed up. They just happened to be named the same thing and chaos ensued.....Doh....Made me change my ways with a quickness.

Posted: Tue Jan 24, 2006 10:18 am
by Christopher
feyd is exactly right about the reason why you might not want to use $_REQUEST. For example in the following code, the value for "param" in $_REQUEST would be determined by the GPC setting in php.ini.

Code: Select all

<form action="index.php?param=foo" method="post">
<input type="hidden" name="param" value="bar">
Admittedly, it is probably pretty rare that you would create code like that, but it is a issue for those who want to build cross-platform applications, frameworks, etc. A bigger question is: do you want get, post and cookie data mixed?

Here is an example of a Request class. It attempts to "level the playing field" regarding magic quotes and the request method.

Code: Select all

class Request {
    var $data;
    var $is_post = false;

    function Request() {
        if (get_magic_quotes_gpc()) {
             $this->removeSlashes($_GET);
             $this->removeSlashes($_POST);
             $this->removeSlashes($_COOKIE);
        }
        if (!strcasecmp($_SERVER['REQUEST_METHOD'], 'POST')) {
            $this->data =& $_POST;
    		$this->is_post = true;
        } else {
            $this->data =& $_GET;
        }
        if (isset($_SERVER['PATH_INFO'])) {
        	$this->data['PATH_INFO'] = trim($_SERVER['PATH_INFO'], '/');
        }
    }

    function get($name) {
        if (isset($this->data[$name]) {
            return($this->data[$name]);
        }
    }

    function set($name, $value) {
        $this->data[$name] = $value;
    }

    function has($name) {
        return(isset($this->data[$name]);
    }

    function removeSlashes(&$var) {
        if (is_array($var)) {
            foreach ($var as $name => $value) {
                if (is_array($value)) {
                    $this->removeSlashes($value);
                } else {
                    $var[$name] = stripslashes($value);
                }
           }
        } else {
            $var = stripslashes($var);
        }
    }

}

Posted: Tue Jan 24, 2006 10:20 am
by Jenk
I prefer to be specific when using input, thus if I want a GET var, I will use $_GET, etc. :)

It can also make life a little easier for anyone wanting to find a loophole in your validation methods, even if the difference is negligible..


Let's say we have a form with this action and method:

Code: Select all

<form action="page.php?id=13" method="post">
Now, apart from the possibility of a collision (if an input field is named id as well) as already highlighted by Charles256, which could cause problems, it would also mean that a potential hacker wouldn't need to spoof the POST info, he would only need to spoof the GET info (or cookie, or POST and not get.. take your pick.)

typing /page.php?id=13&var=foo in the address bar is a little easier than spoofing post info.

Like I say though, this is a neglible difference, I just like to be as specific as possible to avoid any collisions :)

Posted: Tue Jan 24, 2006 10:54 am
by pilau
Thanks, that made a lot of things a lot clearer 8)