22

Question in the title.

And what happens when all 3 of $_GET[foo], $_POST[foo] and $_COOKIE[foo] exist? Which one of them gets included to $_REQUEST?

Alive to die - Anant
  • 70,531
  • 10
  • 51
  • 98
Imran
  • 87,203
  • 23
  • 98
  • 131
  • 2
    The variables are overwrited according to the gpc_order in php.ini, also you should access your variables with quotes, like this: $_GET['foo'] – Alix Axel Aug 13 '09 at 12:13

6 Answers6

53

I'd say never.

If I wanted something to be set via the various methods, I'd code for each of them to remind myself that I'd done it that way - otherwise you might end up with things being overwritten without realising.

Shouldn't it work like this:

$_GET = non destructive actions (sorting, recording actions, queries)

$_POST = destructive actions (deleting, updating)

$_COOKIE = trivial settings (stylesheet preferences etc)

$_SESSION = non trivial settings (username, logged in?, access levels)

Rich Bradshaw
  • 71,795
  • 44
  • 182
  • 241
  • Excellent point on the GET versus POST methods, they are meant for different purposes. Few web applications work that way these days, however... – Internet Friend Sep 20 '08 at 09:38
  • I always thought the idea was that if you use get for deleting things, then bots could crawl those links and hence delete everything in the database... Sounded like a horror story, so I've always stuck to the schema above. – Rich Bradshaw Sep 20 '08 at 09:40
  • We're just struggling with this at my work. Our product is a CMS system which does *not* adhere to the rule above. We'd like to provide Google Mini appliances www.google.com/enterprise/mini/ to our clients, but it's impossible to let it crawl a CMS extranet because all hell would break loose :/ – Internet Friend Sep 20 '08 at 09:47
  • That's frustrating... It's good to think about this sort of thing before starting really! You could try rel="nofollow" on all the get links, then gradually remove ones that you know are safe - of course that's still a bit scary, not sure how strict Google is with nofollow. – Rich Bradshaw Sep 20 '08 at 10:51
  • It does respect nofollow, and it's possible to protect against it with many other means, of course. But it's still a lot of unneccessary work that could have been avoided by better design decisions in the first place. – Internet Friend Sep 20 '08 at 11:37
  • 1
    @RichBradshaw This helped me in 2013. Oh yes! – Yousuf Memon Apr 23 '13 at 15:17
7

Sometimes you might want the same script to be called with several different ways. A form submit and an AJAX call comes to mind. In most cases, however, it´s better to be explicit.

Also, see http://docs.php.net/manual/en/ini.core.php#ini.request-order on how the different sources of variables overwrite each other if there is a name collision.

Internet Friend
  • 1,082
  • 7
  • 10
5

$_REQUEST is only a shortcut to prevent you from testing post, get and cookie if the data can come from any of these.

There are some pitfalls:

  • data is taken from GET, POST and finally COOKIE. The last overrides the first, so be careful with that.
  • REST architectures require you to separate the POST and GET semantics, you can't rely on $_REQUEST in that case.

Nevertheless, if you know what you're doing, then it's just another handy PHP trick.

I'd use it if I wanted to quickly update a var that may come from several sources, for example:

  • In your controller, to decide what page to serve without checking if the request comes from a form action or a hypertext link.

  • To check if a session is still active regardless of the way the session id is transmitted.

paulo77
  • 174
  • 14
Bite code
  • 578,959
  • 113
  • 301
  • 329
4

To answer the "what happens when all 3 exist" question, the answer is "it depends."

PHP auto-fills $_REQUEST based on the request_order directive (or variables_order if request_order is absent) in PHP.INI. The default is usually "GPC" which means GET is loaded first, then POST is loaded (overwriting GET if there is a collision), then cookies are loaded (overwriting get/post if there is a collision). However, you can change this directive in the PHP.INI file. For example, changing it to "CPG" makes cookies load first, then post, then get.

As far as when to use it? I'll echo the sentiment of "Never." You already don't trust the user, so why give the user more tools? As the developer, you should know where you expect the data to come from. It's all about reducing your attack surface area.

Nathan Strong
  • 2,360
  • 13
  • 17
2

When you're not certain where the values are populated or when you use them both and want to loop over all values by both POST and GET methods.

Sietse
  • 7,884
  • 12
  • 51
  • 65
1

I use POST when I don't want people to have easy access to what is being passed and I use GET when I don't mind them seeing the value in the url. I generally don't use cookies for much as I find SESSION to be fine for persisting values (although having a proper registry is the best way to utilize that).

rg88
  • 20,742
  • 18
  • 76
  • 110