When we process submit form, how to accept the input request? We have 3 choices: $_REQUEST, $_GET, $_POST. What’s the difference between $_REQUEST and the other 2 ?
$_REQUEST contains: $_GET, $_POST request, as well as $_COOKIE variables.
The following is a real case which occurs bugs, For the html form:
- <form action=”process_submit.php”, method=”GET”>…</form>
Suppose we have 2 import pairs: [‘user’]=’test_user’, [‘pass’]=’test_pass’.
If using $_GET or $_POST, we accurately get what we are expecting:
- and user = ‘test_user’ and pass = ‘test_pass’;
However, if for better compatibility of changing form’s method between ‘GET’ and ‘POST’, we use $_REQUEST to hold all the possibility, like:
- foreach ($_REQUEST as $key => $value) {
- $hash[$key] = trim($value);
- $condition = ” and $key='” . $trim($value) . “‘ “;
- }
Because $_REQUEST=$_GET/$_POST + $_COOKIE, unanticipated variables are imported, here is some security holes and vogue bugs.
- and user=’test_user’ and pass=’test_pass’ and cookie_key1=’cookie_value1′ and cookie_key2=’cookie_value2′ …
This is not exactly what we want.
So, if you are sure which request are input (method=’get’ or method=’post’), use it directly ($_GET, or $_POST) instead of vague $_REQUEST.
In other words, avoid to use $_REQUEST, this max avoid bugs and security holes.
William Jiang 