Should I change $_REQUEST to $_POST

Question

Hey guys quick question, I have a checkbox system where a list of items can be checked and deleted on the click of a button. I currently use request and it does the job but I was wondering if $_REQUEST was some sort of security risk or improper. If anyone has any advice I would appreciate it. Should I change to $_POST? If so, what is the best way to go about it?

 foreach ($_REQUEST as $key=>$value) {
    if (substr($key,0,3)==="img") {
      $id = substr($key,3);
if(isset($_REQUEST['Delete'])) { 

 $sql = 'SELECT file_name,username FROM images WHERE id=?';
$stmt = $conn->prepare($sql);
$result=$stmt->execute(array($id));

while ($row = $stmt->fetch(PDO::FETCH_ASSOC)) {
$image=$row['file_name'];
$user=$row['username'];
$myFile = "$user/images/$image";
unlink($myFile);
}


<input id=\"img".$id."\" name=\"img".$id."\" type=\"checkbox\">

Answer 1

Yes. You should change it to $_POST. Always use the appropriate Superglobals over $_REQUEST.

Because of the order in which data is assembled in $_REQUEST, it may very well be that keys will not be what you would expect. This can lead to serious security implications. See:

• What's wrong with using $_REQUEST[]?

Answer 2

As your app grows using $_REQUEST instead of the appropriate array will most certainly make your documentation a nightmare. Using $_REQUEST to get $_GET or $_POST values is just unnecessary.

Answer 3

Not really a security issue (an attacker can craft any GET/POST request he wants anyway, and even send it from a legitimate user's browser via CSRF), but a maintenance problem, because accidentally a cookie value can overwrite a request parameter. Also you can get into trouble if you accept GET requests for e.g. deleting stuff - GET requests are assumed to be safe and user agents can be liberal with sending them. You should accept only POST for requests which change data or internal state and GET for everything else.