揭開$ _request的奧秘:獲得,張貼和餅乾發生衝突
$_REQUEST合併GET、POST和COOKIE數據,但存在安全和可預測性風險;當鍵衝突時,其覆蓋順序由php.ini中的variables_order或request_order決定,默認為EGPCS,即POST覆蓋GET,GET覆蓋COOKIE;例如,當GET、POST和COOKIE中均有"user"參數時,POST值勝出;使用$_REQUEST可能導致安全漏洞、行為不可預測及測試困難;最佳實踐是避免使用$_REQUEST,而應明確使用$_GET、$_POST或$_COOKIE;僅在輸入源無關的通用過濾、安全框架或原型開發中有限使用;總之,由於其行為依賴配置且易被濫用,應優先選擇特定超全局變量以確保代碼清晰與安全。
When working with PHP, you've likely come across $_GET , $_POST , and $_COOKIE —superglobals that store data from different sources. But there's another one that often raises eyebrows: $_REQUEST . It's a convenient shortcut, but it can also introduce subtle bugs if you don't understand how it works. Let's break down what $_REQUEST really is, how it behaves when GET, POST, and COOKIE data collide, and why you should think twice before using it.
What Is $_REQUEST ?
$_REQUEST is a PHP superglobal that, by default, contains the contents of $_GET , $_POST , and $_COOKIE . It's a merged array allowing you to access request data without knowing the method or source upfront.
For example:
// If you send a GET request: ?name=John echo $_REQUEST['name']; // Outputs: John // Or submit a form via POST with name=Jane echo $_REQUEST['name']; // Outputs: Jane // Or if a cookie named 'name' exists echo $_REQUEST['name']; // Outputs the cookie value
This seems handy—no need to check which method was used. But convenience comes at a cost.
How Does $_REQUEST Handle Conflicts?
When the same key exists in more than one of $_GET , $_POST , or $_COOKIE , PHP doesn't merge them—it overwrites them based on a predefined order. This order is controlled by the variables_order or request_order directives in php.ini .
By default, most PHP installations use:
variables_order = "EGPCS"
Which stands for:
- E → Environment variables
- G → GET
- P → POST
- C → Cookies
- S → Server variables
So when $_REQUEST is populated, values are merged in that order, with later entries overwriting earlier ones.
But here's the catch: $_REQUEST only includes G, P, and C by default, and the priority order is actually determined by the sequence in request_order . If not set, it follows variables_order , and typically, POST takes precedence over GET, which takes precedence over COOKIE .
For example:
// Request: ?user=admin // POST data: user=hacker // Cookie: user=guest echo $_REQUEST['user']; // Outputs: hacker (POST wins)
This means an attacker could potentially override URL parameters (GET) by including the same parameter in POST—even if your logic assumes the value comes from the query string.
Security and Predictability Risks
Using $_REQUEST can lead to:
- Security vulnerabilities : If you're checking a token in GET but allow it to be overridden via POST or cookies, you might weaken CSRF protections.
- Unpredictable behavior : The same script might behave differently based on how data is sent, making bugs hard to trace.
- Testing complexity : Mocking requests becomes harder when multiple input sources affect the same variable.
For instance, imagine this code:
if ($_REQUEST['action'] === 'delete') {
deleteAccount();
}An attacker could:
- Send a POST request with
action=delete, even if the link was meant to be GET-only. - Set a malicious cookie that triggers the action unexpectedly.
Best Practices: When (and When Not) to Use $_REQUEST
In most cases, avoid $_REQUEST . Instead:
- Use
$_GETwhen expecting URL parameters. - Use
$_POSTfor form submissions. - Use
$_COOKIEonly when explicitly dealing with cookies.
This makes your code more secure and easier to audit.
However, $_REQUEST might be acceptable in limited scenarios:
- Generic input filters where source doesn't matter (eg, logging all input).
- Frameworks or routers that abstract input handling safely.
- Quick prototypes (but remove it before production).
Even then, explicitly checking each source gives you more control.
Bottom Line
$_REQUEST is like a magic box that combines inputs—but the box has rules you can't always see. When GET, POST, and COOKIE collide, the winner depends on PHP's internal configuration, not your intent. That unpredictability is dangerous.
Stick to the specific superglobals. Know your data source. Write clearer, safer code.
Basically: just because you can use $_REQUEST , doesn't mean you should .
以上是揭開$ _request的奧秘:獲得,張貼和餅乾發生衝突的詳細內容。更多資訊請關注PHP中文網其他相關文章!
熱AI工具
Undress AI Tool
免費脫衣圖片
Undresser.AI Undress
人工智慧驅動的應用程序,用於創建逼真的裸體照片
AI Clothes Remover
用於從照片中去除衣服的線上人工智慧工具。
Clothoff.io
AI脫衣器
Video Face Swap
使用我們完全免費的人工智慧換臉工具,輕鬆在任何影片中換臉!
熱門文章
熱工具
記事本++7.3.1
好用且免費的程式碼編輯器
SublimeText3漢化版
中文版,非常好用
禪工作室 13.0.1
強大的PHP整合開發環境
Dreamweaver CS6
視覺化網頁開發工具
SublimeText3 Mac版
神級程式碼編輯軟體(SublimeText3)
使用PHP的$ _request超級全局的固有安全風險
Aug 02, 2025 am 01:30 AM
UsingPHP’s$_REQUESTsuperglobalintroducessecurityrisksbecauseitcombinesinputfrom$_GET,$_POST,and$_COOKIE,leadingtounpredictablebehavior;2.Itallowsunintendedinputsourcestooverrideintendedones,suchasamaliciouscookietriggeringadeleteactionmeanttocomefrom
超越衛生化:$ _request的數據歧義的基本問題
Aug 03, 2025 am 04:23 AM
Using$_REQUESTintroducesdataambiguitybymerginginputsfrom$_GET,$_POST,and$_COOKIE,makingitimpossibletodeterminethesourceofdata.2.Thisunpredictabilityweakenssecuritybecausedifferentsourceshavedifferenttrustlevelsandattackvectors,suchasCSRFviaGETorsessi
解構危險:為什麼現代PHP開發人員避免$ _request
Aug 02, 2025 pm 03:10 PM
$_REQUESTisdiscouragedinmodernPHPbecauseitmergesinputfrom$_GET,$_POST,and$_COOKIE,creatingsourceambiguitythatunderminessecurityandpredictability.2.Thisambiguityenablesattackssuchascookietampering,requestmethodconfusion,andCSRFbypass,asseenwhenamalici
揭開$ _request的奧秘:獲得,張貼和餅乾發生衝突
Aug 06, 2025 am 08:06 AM
$_REQUEST合併GET、POST和COOKIE數據,但存在安全和可預測性風險;當鍵衝突時,其覆蓋順序由php.ini中的variables_order或request_order決定,默認為EGPCS,即POST覆蓋GET,GET覆蓋COOKIE;例如,當GET、POST和COOKIE中均有"user"參數時,POST值勝出;使用$_REQUEST可能導致安全漏洞、行為不可預測及測試困難;最佳實踐是避免使用$_REQUEST,而應明確使用$_GET、$_POST或$_C
從$ _request到請求對象:現代框架中輸入處理的演變
Aug 06, 2025 am 06:37 AM
從$ _requestToreQuestObjectSrepresentsamajorimProvementInphpDevelopment.1.RequestObjectSabstractstractsuperglobalsIntoAclean,一致,消除,消除bighancebiguityaboutinputsources.2.theyeneenenhancesecuritybutinable andfiritiatiand
深入研究$ _request vs. $ _ post vs. $ _get:理解優先級和陷阱
Aug 06, 2025 pm 05:42 PM
避免使用$ _requestDuetunPrediCtabledAtasOutAtasOudatAseCurityRisks; 2.使用$ _getForideMpotEntoperationsLikeFiltering,$ _ forportate-forState-forState-changingactionsLikeFormSubmission; 3.thevaluein $ _requestdeplysonRequestDeptsonRequestDepliandeptsonRequestDeppedsonRequestdeppedsonrequestdepliandeplyquior_ $ quiorQiorQiorQiorQiorquior lade teedtotosent;
掌握輸入控制:php.ini中的``request_order''
Aug 08, 2025 pm 06:02 PM
terequest_orderdireativeinphp.inidetermineswhichdatasources(get,post,cookie)aremergedInto $ _requestandtheirprecedenceOrder; tofexample,request_orders_order =“ gp”表示$ _requequestincludesonlygudesonlygudesonlygetandpostdata,withpostostobostostostostoverristoverristoderristingwhenenekeysConteNekeySconaneNekeysConfort;
確保您的應用程序:為什麼明確$ _get和$ _post優於$ _request
Aug 08, 2025 pm 05:18 PM
Using$_GETand$_POSTinsteadof$_REQUESTismoresecurebecauseitensurespredictableinputsources,2.ItpreventsparameterconflictsduetooverlappingnamesinGET,POST,andCOOKIE,3.ItstrengthensdefensesagainstCSRFbyenforcingrequestmethodintegrity,4.Itimprovescodeclari
