What's Wrong With Using $_Request[]

What's wrong with using $_REQUEST[]?

There's absolutely nothing wrong with taking input from both $_GET and $_POST in a combined way. In fact that's what you almost always want to do:

  • for a plain idempotent request usually submitted via GET, there's the possibility the amount of data you want won't fit in a URL so it has be mutated to a POST request instead as a practical matter.

  • for a request that has a real effect, you have to check that it's submitted by the POST method. But the way to do that is to check $_SERVER['REQUEST_METHOD'] explicitly, not rely on $_POST being empty for a GET. And anyway if the method is POST, you still might want to take some query parameters out of the URL.

No, the problem with $_REQUEST is nothing to do with conflating GET and POST parameters. It's that it also, by default, includes $_COOKIE. And cookies really aren't like form submission parameters at all: you almost never want to treat them as the same thing.

If you accidentally get a cookie set on your site with the same name as one of your form parameters, then the forms that rely on that parameter will mysteriously stop working properly due to cookie values overriding the expected parameters. This is very easy to do if you have multiple apps on the same site, and can be very hard to debug when you have just a couple of users with old cookies you don't use any more hanging around and breaking the forms in ways no-one else can reproduce.

You can change this behaviour to the much more sensible GP (no C) order with the request_order config in PHP 5.3. Where this is not possible, I personally would avoid $_REQUEST and, if I needed a combined GET+POST array, create it manually.

Why should I use $_GET and $_POST instead of $_REQUEST?

I use $_REQUEST when I just want certain data from the user to return certain data.

Never use $_REQUEST when the request will have side effects. Requests that produce side effects should be POST (for semantic reasons, and also because of basic CSRF stuff, a false img tag can hit any GET endpoint without a user even knowing).

$_GET should be used when GETing or POSTing to a page will produce different results.

Among $_REQUEST, $_GET and $_POST which one is the fastest?

$_REQUEST, by default, contains the contents of $_GET, $_POST and $_COOKIE.

But it's only a default, which depends on variables_order ; and not sure you want to work with cookies.

If I had to choose, I would probably not use $_REQUEST, and I would choose $_GET or $_POST -- depending on what my application should do (i.e. one or the other, but not both) : generally speaking :

  • You should use $_GET when someone is requesting data from your application.
  • And you should use $_POST when someone is pushing (inserting or updating ; or deleting) data to your application.

Either way, there will not be much of a difference about performances : the difference will be negligible, compared to what the rest of your script will do.

What's the difference between $_POST, $_GET, and $_REQUEST?

$_POST is an associative array of variables passed to the current script via the HTTP POST method when using application/x-www-form-urlencoded or multipart/form-data as the HTTP Content-Type in the request.
You can use when you are sending large data to server or if you have sensitive information like passwords, credit card details etc

$_GET is an associative array of variables passed to the current script via the URL parameters. you can use when there is small amount of data, it is mostly used in pagination, page number is shown in the url and you can easily get the page number from URL using $_GET

$_REQUEST is a 'superglobal' or automatic global, variable. This simply means that it is available in all scopes throughout a script. It is an associative array that by default contains the contents of $_GET, $_POST and $_REQUEST (depending on request_order=)

Using isset($_REQUEST[p]) or $_REQUEST[p]

They have error_reporting turned down, which is nice because it means you can do things like

if ($_POST['whatever']) { ... }

instead of 

if (isset($_POST['whatever'])) { ... }

but it also stops you from seeing other possibly pertinent errors.

this setting is found in the php.ini file under the variable error_reporting.

More information on the ini file can be found here: http://php.net/manual/en/ini.php

also, isset($_REQUEST["p"])=="procurar" while sytactically correct, is never going to return true, because isset() returns a boolean value.

what you want is isset($_REQUEST['p']) && $_REQUEST['p'] == 'procurar'

$_REQUEST in PHP

$_REQUEST is a super global array. Just like $_GET, $_POST, $_COOKIE, $_SESSION etc. That means it can store a list information numerically or associatively.

For example:
Associative:
$array = array(key->value, key->value);
Numeric:
$array = array([0]->value, [1]->value);

In the case of $_REQUEST or $_POST or $_GET these arrays will store encoded data sent to the PHP header.

for example:
$_REQUEST['key'] = value;

or

you have a navigation item:
<a href='?key=value'>value</a> //for $_GET

PHP will encode that key->value into the url and save it to the super global array that you are using. To access it call:
echo $_REQUEST['key']; //returns 'value'

In your case msg is, so far, not encoded to the browser. It needs to be passed by different means(forms, href's etc.). So,

 $_REQUEST['msg'] = 'new';
 if(isset($_REQUEST['msg'])){       //use isset() to avoid an error
    if($_REQUEST['msg'] == "new"){
        $message = "New User has been added successfully";  
    }else if($_REQUEST['msg'] == 'edit'){
        $message = "User has been saved successfully";
    }else if($_REQUEST['msg'] == 'update'){
        $message = "User(s) has been Updated successfully";
    }
}                           //returns $message = "New user..."

$_REQUEST is not suggested because it makes it hard to control what information is processed. $_GET requests show the key->value pairs in the url. Information that you don't want as visible probably shouldn't be shown there. With $_REQUEST a user can send that key->value pair over the url to see what information needs to be passed and exploit that in other ways (google cross-site request forgeries).

TL;DR : $_REQUEST['msg'] -- 'msg' is a key in a key->value pair ('new'| 'edit' | 'update' being the value)

$_REQUEST is a superglobal array that saves values that can be used by the user in any scope in other parts of the website.


Related Topics

Target Class Controller Does Not Exist - Laravel 8

What Is the Use of the @ Symbol in PHP

What Is Output Buffering

How to Remove Duplicate Values from an Array in PHP

Strange Behavior of Foreach When Using Reference: Foreach ($A as &$V) { ... }

Simplest Way to Profile a PHP Script

If Block Inside Echo Statement

How to Encrypt/Decrypt Data in PHP

How to Prevent Browser Cache For PHP Site

PHP Pass by Reference in Foreach

How to Force File Download With PHP

Parse Xml With Namespace Using Simplexml

Pdoexception Sqlstate[Hy000] [2002] No Such File or Directory

Htmlentities() Vs. Htmlspecialchars()

In PHP When Submitting Strings to the Database Should I Take Care of Illegal Characters Using Htmlspecialchars() or Use a Regular Expression

How to Convert an Image to Base64 Encoding

PHP 7.2 Function Create_Function() Is Deprecated

Curl Error 60: Ssl Certificate: Unable to Get Local Issuer Certificate


Leave a reply



Submit