[UPHPU] receiving with $_REQUEST

Chad Sollis uphpu at sollis.net
Thu Feb 28 23:05:20 MST 2008


I was very excited about this thread (thanks wade), in hopes to curb a long
standing question I've had on this topic.

Although I appreciate and agree with most of what has been said, I still
have not heard anything convincing as to why not to use $_REQUEST.  That
said, let me preface my comments with, I have no objection to using strict
definitions of $_POST or $_GET... But there is more to consider.

A few clarifying points:
1) all input regardless of how you obtain it needs to be "handled" or
cleansed properly before use.  When RETRIEVING data, and using one variable
(like REQUEST) it is far more effecitve to treat all of this data in one
place.

2) people that use REQUEST are neither lazy or "dumb" or bad programmers, if
they use the variable appropriately

3) good programming should be secure.  Absolutely no argument there.
Additionally, it should be scaleable, flexible, and accessible.

4) using REQUEST isn't using HTTP protocols inappropriately.  Its a
variable...  Nothing more.  If properly used, you are leveraging the actual
protocols.   And can actually be quite powerful and effective.

The only REAL negative explanation from today's thread of using REQUEST is
the possibility of reading a cookie when you meant to read a GET/POST (this
of course could easily be managed in your handling/cleansing of the data. OR
in an environment where php.ini changes are accessible via .htaccess or
ini_set, the variable_order or gpc_order (both have PHP_INI_ALL access) can
be set to make cookies first read, and allow GET/POST to trump the cookie)

A good programmer should assess the problem/application and weigh the pros
and cons of multiple scenarios and implications/accessibility of each.  With
only 1 maybe 2, cons for using REQUEST, and a slew of positives, it COULD be
right for many applications.  The common consensus in this thread is that
REQUEST poses no REAL DIFFERENT security threat, and the other concern is
easily managed, so please help me see the negative use here, seriously.

For anyone (and I assume many of you qualify here) that have used web
services extensively or APIs, either as a consumer or provider, knows that
both protocols are used frequently.  In using Salesforce.com, ebay, amazon,
and several other webservices it is basically a necessity to accept/SEND
with either GET or POST.  This could be accomplished with a bit of logic and
additional code around a strict definition of GET/POST or you could use
REQUEST.

Like I said, I am not saying that using GET/POST is wrong, but I am saying
that using REQUEST is very effective in many, many circumstances.

Many thanks for all your insight on this topic!

~Chad


More information about the UPHPU mailing list