Is it wrong to use $_REQUEST for Data?

2019-06-21 22:45发布

问题:

So, I've been coding for a little (2 years), and I have a very subjective question:

Is it wrong to use $_REQUEST for Data?

This mainly pertains to authentication by the way.

If you think about the 3 ways data can occur in $_REQUEST, it can come from either a cookie, a form, or a query string. Now, I know that most people directly grab the information from either $_POST or $_GET, using $_COOKIE only when they are expecting a cookie.

My theory is that in reality, there shouldn't be any difference in this data, and it shouldn't make any difference if you replaced $_POST or $_GET with $_REQUEST.

If you are authenticating a user into the system, does it really mattered if the authentication details are contained in the $_POST or $_GET array? Heck, it probably shouldn't matter if they are in $_COOKIE either. They are still giving you credentials to log into the site, which you should check for correctness, and if so log them in.

Now, I do realize there are security issues if you try to have a login form that submits data via a query string, but I don't believe that pertains to the question. Also, if someone fails a login too many times, there should be proper limits set in place to avoid overloading the server.

I'd like to here the opinion about this.

Community Wiki'd for good measure.


Oh, and just by the way, here are other StackOverflow questions that relate if you have other questions about $_REQUEST

Why should I use $_GET and $_POST instead of $_REQUEST? When and why should $_REQUEST be used instead of $_GET / $_POST / $_COOKIE?

回答1:

In "good" coding practice, you want to disambiguate as much as possible.

Since $_REQUEST contains the data from $_POST, $_GET, and $_COOKIE by default, the value held by the variable that stores the data retrieved using $_REQUEST will be ambiguous as to which method it came from.

If we are more specific, it will benefit readability of code, as well as understanding of logic, and helps for debugging in the future.

(Let alone the security issues concerning each method, especially the $_GET one)



回答2:

I'd say avoid it all together. I agree with Sev that disambiguation is important for many reasons (debugging, clarity/self-documentation, elegance, etc.), but there are significant security issues that could arise, and that would be my main reason for avoiding it.

As a simple example, what happens when the same key is sent in two of the arrays (e.g. $_POST['criticalInfo'] and $_GET['criticalInfo'])? As with most security issues, the vulnerabilities present themselves in the individual implementation, so it would be impossible to guess your specific risks. The fact is that ambiguity often opens up holes.



回答3:

Don't leave it up to "variables_order" in PHP_INI to determine where your script gets variables from. Use $_GET, $_POST, etc.



回答4:

It is also about not letting credentials come in any other way than a POST request. I would not want my GET request to have side-effects (like logging in the user).



回答5:

Is it wrong? No.

Is it inferior to $_GET or $_POST? Yes. Use the right array and you'll avoid all kinds of problems that stem from not knowing where the array contents of $_REQUEST came from.