Why is Using `$_REQUEST` in PHP Risky?

The Dangers of Using $_REQUEST: A False Convenience

While the $_REQUEST variable may provide temporary ease, it conceals a fundamental problem that can lead to potential security vulnerabilities and erroneous behavior.

The Pitfall of Superfluous Cookie Inclusion

Unlike form submission parameters ($_GET and $_POST), cookies are distinct entities that should not be treated in the same manner. By default, $_REQUEST combines all three sources: $_GET, $_POST, and $_COOKIE. This can result in conflicts when a cookie name coincides with a form parameter, causing the parameter to be overridden by the cookie's value.

This can be especially problematic when multiple applications reside within the same website, as it can lead to unintentional form malfunctions. Even with just a few users maintaining old cookies, the consequences can be unpredictable and challenging to diagnose.

Mitigating the Risk

To avoid these pitfalls, it is advisable to steer clear of $_REQUEST. In scenarios where a combined GET and POST array is required, it is preferable to assemble it manually.

In PHP 5.3 and later versions, you can alter the default behavior of $_REQUEST to exclude cookies by setting the request_order configuration to "GPC". However, if this is not feasible, manually constructing the combined array remains the safer approach.

The above is the detailed content of Why is Using `$_REQUEST` in PHP Risky?. For more information, please follow other related articles on the PHP Chinese website!