Why not to use REQUEST

Forum Moderators: coopster

Message Too Old, No Replies

Why not to use REQUEST

jatar_k

3:51 pm on Apr 8, 2010 (gmt 0)

try this

<?php
setcookie('testthis','one',time()+3600,'/','.example.com');
?>
<form name="someform" action="reqtest.php?testthis=two" method="post">
<input type="hidden" name="testthis" value="three">
<input type="submit" value="do it">
</form>
<?php
echo '<br />cookie: ',$_COOKIE['testthis'];
echo '<br />get: ',$_GET['testthis'];
echo '<br />post: ',$_POST['testthis'];
echo '<br />request: ',$_REQUEST['testthis'];
echo '<br />var order: ',ini_get('variables_order');
?>

replace example.com with your own domain, guess first and see if the result is what you thought, then think about how easily your data can be manipulated.

if you have control over the server you could make a change and get different results, then imagine a script you made to distribute to different servers.

Readie

4:22 pm on Apr 8, 2010 (gmt 0)

To further the point, as $_REQUEST[] touches on multiple levels it incurs a significantly higher overhead than the individual $_GET, $_POST etc. and so should be avoided where possible for efficiency reasons too.

Matthew1980

6:58 pm on Apr 8, 2010 (gmt 0)

Hi all,

I personally have never used $_REQUEST for accessing POST or GET data, though I knew as it existed, I have always done the direct route.

As this thread is directed at why you shouldn't use $_REQUEST, a question springs to mind.. What would be the proper use for $_REQUEST then, I mean what context would it be best suited for?

Cheers,
MRb

jatar_k

7:56 pm on Apr 8, 2010 (gmt 0)

none really, it even says you can't rely on the data on php.net

[php.net...]

The variables in $_REQUEST are provided to the script via the GET, POST, and COOKIE input mechanisms and therefore could be modified by the remote user and cannot be trusted.

Matthew1980

8:18 pm on Apr 8, 2010 (gmt 0)

Hi,

Well, if even the creators have said don't use this method/practice, wouldn't it be better for them to remove any reference from the next major release, or is this something that's planned anyway?

Or is this something that is present from the browser side of things, and therefore has to be supported until the browser engines are improved - or have I totally missed the point :)

Cheers,
MRb

Readie

8:33 pm on Apr 8, 2010 (gmt 0)

Well, if even the creators have said don't use this method/practice, wouldn't it be better for them to remove any reference from the next major release, or is this something that's planned anyway?

Even deprecated elements that are not supported in PHP 5 still have their pages on php.net, it's for people who, for some reason or another, resist the idea of upgrading.

No longer providing support is one thing, not providing documentation is another.

Also, $_REQUEST does have it's place - it's *occasionally* handy when I'm trying to decide whether to use post or get for a specific task, and want to see how they both pan out. It never reaches the live version of the site though, for obvious reasons.

mack

9:05 pm on Apr 8, 2010 (gmt 0)

I only use $_REQUEST for debugging. It can be a handy took for quick testing without having to sent post data.

Mack.

eelixduppy

10:30 pm on Apr 8, 2010 (gmt 0)

>> none really, it even says you can't rely on the data on php.n

You cannot trust any data that can be manipulated by a user, which also includes the other superglobal arrays.

REUQEST has it's place, especially for "legacy scripts" and backwards compatibility. If you are coding a new project it is probably best to steer clear of its use, though.

jatar_k

12:59 pm on Apr 9, 2010 (gmt 0)

I will respectfully disagree as I think it is very bad practice even for the most experienced programmers but I would trust eelix to do lots of things I wouldn't let anyone else ;)

as long as you test it, clean it, never extract it (don't laugh I see it too often) and treat it's data with the suspicion it deserves you should have a chance at getting what you think