If you know where the data is coming from, and the method used -- then it's usually better to use $_POST or $_GET. Otherwise, it doesn't matter.

hrm.. i'm so interested
is there any discussion? PM me url is possible

I specify $_POST or $_GET based on what data I am reading. The only time I use $_REQUEST is when I am passing data in a bunch of ways to one page. I did that recently, it was a little weird actually.

Picture a scenario where you need to get a posted var from a form, I can now pass a var in the url of the same name and your script will handle it. It just leaves more error checking for you and more possibilities for people to exploit.

The only time I use $_REQUEST is when I am passing data in a bunch of ways to one page. I did that recently, it was a little weird actually.

I hear you there, jatar_k. I've done the same.

I had a link using $_GET, got to that page, used $_GET again to go to another page. Then I needed to return to the page I $_GETted to in the first place, and this time I used <input type="hidden"> with a POSTed return via PHP's header() function...talk about twisted. I had to go back to the drawing board. You know when it really gets messy? When you have to deal with slashes in your variables or when you use serialize() and urlencode() with whacky text in your input string, especially the old "whack" character (\). addslashes, stripslashes...it gets downright ugly.

OK, everybody follow that? Of course you did. I'm going to bed.

LOL!

Thanks for the input guys. So there`s no real harm in me using $_REQUEST? That was the bottom line. Sounds like I should get more into the habit of using $_POST & $_GET though, so thats what I`ll do. :)

Oh and Xeufer, no there wasn`t a discussion anywhere about it, its just that on some other forums when I`ve posted code and used $_REQUEST, they tend to always pick me up about it.

Thanks for the information!

:)

Maybe I'm just a little on the lazy side but I use $_REQUEST almost exclusivly. I dis-trust $_GET and $_POST equally as much so for the most part I don't care how you gave me a variable. Really I only care about Internal/External.

Daisho.

I wouldn't call it laziness, daisho. Look at my previous thread. If you ever need to access that variable differently, $_REQUEST is the best way to go. Well, in at least you wouldn't have to tweak your code just to retrieve the variable value from the superglobal(s). Using $_REQUEST will get the value no matter which form method was used. You still need to check the input, as you stated:

>>Really I only care about Internal/External.

That, folks, is the bottom line! Don't trust externally (publicly) populated variables, no matter what method is being used.

coopster: true
"Don't trust externally values"

but still need to care about "Internal/External", because, at least, your page have to take action for External requests
if u login as Admin/User using session cookie, and have a page do GET/POST to do some operate(admin:delete user:edit profile, etc.)
how if an external page GET/POST to that url?

e.g.:
www.hackersite.com: link to
www.yoursite.com/deleteuser.php?id=123

checking referer may help, but most firewall is just silly and block all HTTP_REFERER for "priviay", which lead "security" issue
and also, script navigating will have empty referer.

>>www.yoursite.com/deleteuser.php?id=123

In this example, Xuefer, I would consider the id variable an external variable as it has been passed via a $_GET method in the form of a URL query string. It is being accepted from an external source (user-manipulated) which should not be trusted unlike the untainted internal variables that are defined and control within the code.

External variables are values that the user can populate, yet we can still control safely within our code by editing and checking values against a file, against a predefined array, pattern matching, etc. so that it meets certain criteria that has been defined as safe at which point we might consider them untainted variables.

Passing variables via form methods or URL query strings means that on the next page we need to check that data again, even if we set the value previously! Since HTTP is a stateless protocol, every request is like a brand new request and that means checking any variable data being passed by form methods and/or URL query strings.

If I had indeed written my

deleteuser.php

in the manner you described where I would accept the id of the user to operate on via a GET method (external), the first thing I would be doing in the deleteuser.php script would be to authenticate the administrative user prior to any operations being performed on the user indicated by id.

Hope this clears up the confusion.

hehe, seems i'm mixing something
my correction: "same site/cross site"
Internal=Php variables
External=data submited from user
Same site=user using my site to submit
Cross site=user using hackers' site to submit

one hacker can post the url as a thread in your site, pointed to his own page, where there is a script will do: window.location.href="http://yoursite.com/deleteuser.php?id=123"
when you're trapped into his url while you're in authed state, you're navigated to operate the deletion

how can u make sure the submit(GET/POST) is from same site, not cross site?
maybe a bit off topic

another problem:
if you pass things in url (including session id), http referer will be leaked out when user click on a out linking url.
but if u hide it in <form action=post>, then this will not happend.

okay, return to your topic.
$_REQUEST default is: 'gpc'
that is:
$_REQUEST = $_COOKIE + $_POST + $_GET;
same as:
$_REQUEST = array_merge($_GET, $_POST, $_COOKIE);
$_COOKIE will have higher priority.
if u mess up cookie/form names, your $_REQUEST will be illness

i've changed it into 'cgp', any ideas?

Another feature I haven't noticed, even though it's been around since 4.1.0

Having never played with it, perhaps someone can just tell me quickly, how variables are referenced. I assume

$_REQUEST['var']

and if you have a post var and get var with the same name, the one gets overwritten by the other as specified by the "variables_order" setting?

Is that right? So if you had better be sure that you do not have a post var with the same name as a get var unless you truly intend one to get overwritten?

Thanks,

Tom

exactly

$_REQUEST [ca.php.net]

Variables provided to the script via the GET, POST, and COOKIE input mechanisms, and which therefore cannot be trusted. The presence and order of variable inclusion in this array is defined according to the PHP variables_order configuration directive. This array has no direct analogue in versions of PHP prior to 4.1.0. See also import_request_variables().

variables_order [ca.php.net]

Set the order of the EGPCS (Environment, GET, POST, Cookie, Server) variable parsing. The default setting of this directive is "EGPCS". Setting this to "GP", for example, will cause PHP to completely ignore environment variables, cookies and server variables, and to overwrite any GET method variables with POST-method variables of the same name.