0

I'm following an amateur online grade for beginners in Symfony, but I've just step into a part where the instructor is using REQUEST to manage GET and POST requests. In standard PHP, the use of REQUEST is disregarded due to security issues.

That's pretty much the question, just in case I'm doing a dumb question, I contextualize it. If the grade was being perfectly driven before this, I won't ask and just believe it is a good practice in Symfony, but this is not the first time I notice strange habits in this guy's programming so I don't know if it's a good idea to follow the grade anymore.

Rajo
  • 71
  • 10
  • 4
    `"In standard PHP, the use of REQUEST is disregarded due to security issues."`. Where have you read that? $_REQUEST is just a superglobal containing get, post, and cookie data. There's nothing inherently insecure with request data, you just have to use it properly. I linked a duplicate regarding SQL injections since that is the main culprit with invalid use of request data. – Devon Bessemer Jul 16 '18 at 16:30
  • Possible duplicate of [How can I prevent SQL injection in PHP?](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) – Devon Bessemer Jul 16 '18 at 16:33
  • Also could open you to XSS injections. but `COOKIE`, `POST`, and `GET` have the same issues. – user3783243 Jul 16 '18 at 16:36
  • I know that you can sanitize REQUEST, but it is or it isn't unsafer than just use POST and GET? – Rajo Jul 16 '18 at 16:39
  • Why would it be "unsafer"? What, in your mind, makes it unsafe? It's just a variable that contains data supplied by the web server. If it were so unsafe, don't you think that it... wouldn't be available in the language in the first place? It's what you **do** with the data, not where you **read** it from. Also, I want to support Devon's comment - what you wrote is not true, the `$_REQUEST` is not disregarded due to security issues, it's simply a variable that contains the contents of both `$_POST` and `$_GET`. – N.B. Jul 16 '18 at 16:41

1 Answers1

4

Using $_REQUEST isn't any more or less safe than using $_GET or $_POST. They contain the same data. But it's concerning for another reason.

Standard practice in Symfony is to use the Request interface to get query arguments. There is no reason to use superglobals like $_REQUEST in a Symfony application -- the fact that the tutorial does so suggests that they may not actually understand the framework very well.