William Jiang

JavaScript,PHP,Node,Perl,LAMP Web Developer – http://williamjxj.com; https://github.com/williamjxj?tab=repositories

php $_REQUEST, $_GET, $_POST

When we process submit form, how to accept the input request? We have 3 choices: $_REQUEST, $_GET, $_POST. What’s the difference between $_REQUEST and the other 2 ?

$_REQUEST contains: $_GET, $_POST request, as well as $_COOKIE variables.

The following is a real case which occurs bugs, For the html form:

  1. <form action=”process_submit.php”, method=”GET”>…</form>

Suppose we have 2 import pairs: [‘user’]=’test_user’, [‘pass’]=’test_pass’.
If using $_GET or $_POST, we accurately get what we are expecting:

  1. and user = ‘test_user’ and pass = ‘test_pass’;

However, if for better compatibility of changing form’s method between ‘GET’ and ‘POST’, we use $_REQUEST to hold all the possibility, like:

  1. foreach ($_REQUEST as $key => $value) {
  2.   $hash[$key] = trim($value);
  3.   $condition = ” and $key='” . $trim($value) . “‘ “;
  4. }

Because $_REQUEST=$_GET/$_POST + $_COOKIE, unanticipated variables are imported, here is some security holes and vogue bugs.

  • and user=’test_user’ and pass=’test_pass’ and cookie_key1=’cookie_value1′ and cookie_key2=’cookie_value2′ …

This is not exactly what we want.
So, if you are sure which request are input (method=’get’ or method=’post’), use it directly ($_GET, or $_POST) instead of vague $_REQUEST.
In other words, avoid to use $_REQUEST, this max avoid bugs and security holes.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: