$_REQUEST variable

[kurt.santo]

$_REQUEST stores all of the data sent to a php page throught either get, post or data accessible in cookies. I did first assume that then it might be a great idea to use this global variable, then I heard about security issues. I did not understand what the real risk is. Does someone know the reason?Kurt

[boen_robot]

The real "risk" is that you're making it easier for attackers to try and hack your code. Normally, they'd need to emulate a POST variable with a tool like Fiddler. When you use $_REQUEST, they can just as easily pass a URL argument, which is far easier to try out.In addition, when you separate the methods, you may eventually try to block POST requests from a certain suspicious user. If you use $_REQUEST, that is irrelevant, as you still allow $_GET and $_COOKIE ones.In addition, forging cookies is also easier.It's all just about making hacking one step easier, even though it's not a security hole by itself.

[kurt.santo]

The real "risk" is that you're making it easier for attackers to try and hack your code. Normally, they'd need to emulate a POST variable with a tool like Fiddler. When you use $_REQUEST, they can just as easily pass a URL argument, which is far easier to try out.In addition, when you separate the methods, you may eventually try to block POST requests from a certain suspicious user. If you use $_REQUEST, that is irrelevant, as you still allow $_GET and $_COOKIE ones.In addition, forging cookies is also easier.It's all just about making hacking one step easier, even though it's not a security hole by itself.

Understood! Thank you for the clarification...Kurt

[clonetrooper9494]

Just wondering, but why did they come out with the var if it has so many cons?

[Synook]

Because in some cases the same data may be available either from cookies or from the URL, or from a POST request, and $_REQUEST saves developers the trouble of finding out which. Though, its a bit like register_globals in a way...

[jeffman]

The cons only exist if you're a sloppy engineer. There is absolutely no reason why a script couldn't run $_REQUEST through one iterator (instead of the alternative, which is three) and extract all the info necessary to get the job done. The danger comes when you don't really think about your data and just blindly do stuff with it that could get you in trouble--like, say, running an untested POST value through an eval statement, or using a GET value as a password.$_REQUEST values could lead the sloppy engineer into forgetting where the values came from or how they got there, which in turn could lead to bad security. So getting in the habit of using $_POST and $_GET promotes, but doesn't ensure, better security. Just don't be fooled into thinking they ARE better security.

[boen_robot]

If you wanted to emulate (or adjust the behaviour of) $_REQUEST for iteration's sake, you could always do:

$_REQUEST = $_GET + $_POST + $_COOKIE;

Like Synook, I think this is a lot like register_globals. It's not a security issue by itself, but it can very easily be misued.

[tyweiss]

I use it a lot when working on big projects and I forget what all is coming into the page. Mostly debugging/building but take it off afterwards, I don't think I've ever used it otherwise. That of course doesn't stop you from using it, although I'd be careful when doing so.