...

View Full Version : $_REQUEST or $_POST



Wanna
09-20-2011, 02:50 PM
Hello,

I made much sites with $_POST but recently i heard that $_REQUEST is much safer to use (I don't know tbh)

Do some of you know what is better? And why?

Thanks,
Wanna

myfayt
09-20-2011, 02:52 PM
$_REQUEST contains: $_COOKIE, $_GET, and $_POST variables

if you use $_REQUEST you have no guarantee that the data came from the post data, which leads to security holes in your script

also, if the is a $_GET['var'] = 'foo'; and $_POST['var'] = 'something else'; the $_REQUEST['var'] would be the last one set (i think, not 100% positive)

Basically... never use $_REQUEST, use $_POST for post method forms, $_GET for query string and get method forms, and $_COOKIE to handle cookies.

Wanna
09-20-2011, 02:55 PM
Thanks for the fast reply.

I already thought something like that. (That the variable will be overwritten)

tangoforce
09-20-2011, 03:34 PM
$_REQUEST contains: $_COOKIE, $_GET, and $_POST variables


From php5 $_COOKIE was dropped. It now containts just $_GET and $_POST.

Inigoesdr
09-20-2011, 03:55 PM
From php5 $_COOKIE was dropped. It now containts just $_GET and $_POST.

I don't think that's accurate. Do you have a reference for this?

Keleth
09-20-2011, 03:56 PM
Its also worth considering: the only reason to use $_REQUEST is when you don't know where your information will be coming from, and if you don't know where your data is coming from, you should rethink your design.

Keleth
09-20-2011, 03:57 PM
I don't think that's accurate. Do you have a reference for this?

According to PHP documentation, it still contains _COOKIE.

Wanna
09-20-2011, 03:57 PM
When i look at the php site:
http://php.net/manual/en/reserved.variables.request.php

It still says $_COOKIE is included

tangoforce
09-20-2011, 04:01 PM
I seem to remember being told over at sitepoint that $_COOKIE had been dropped as of v5 / v5.3.

Perhaps someone has got this wrong then. Doesn't really worry me as I've never used $_REQUEST - I always use $_HTTP = $_GET + $_POST

EDIT:
Found something which rang a bell:
http://www.php.net/manual/en/ini.core.php#ini.request-order


This directive describes the order in which PHP registers GET, POST and Cookie variables into the _REQUEST array. Registration is done from left to right, newer values override older values.

If this directive is not set, variables_order is used for $_REQUEST contents.

Note that the default distribution php.ini files does not contain the 'C' for cookies, due to security concerns.



I knew I'd read about this at more than one place. I've also just done a var_dump($_REQUST) on my system and it never displayed any php session cookie.

Fou-Lu
09-20-2011, 05:19 PM
As mentioned, $_REQUEST, it MAY still contain cookie if C is specified in request_order. That is new as of 5.3.0 if I'm not mistaken.

Generally speaking, request should always be avoided. Its better to know where something has come from than to assume that its from one or the other. In the event it can come from either, I'd still check _GET first, then _POST. This is specifically because the order can be modified and I do not want to rely on _POST overriding _GET when provided by the system.



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum