TalkPHP - View Single Post

DeMo · 03-17-2008, 01:31 AM

$_REQUEST contains all the data in $_GET, $_POST and $_COOKIES.

If you use $_REQUEST to check if some data was passed to your page you don't know if this data is coming from the URL (script.php?variable=value), if it was posted from a form or if it was stored in a cookie.

Let's say you store the username in a cookie and then use it to print the username in every page.

PHP Code:


			
if (isset($_REQUEST['user'])) {

  echo 'Hello ' . $_REQUEST['user'];

} else {

  echo 'Hello Guest!';

}

Since you're using $_REQUEST, I can trick your page into displaying whatever I want just by typing page.php?user=SomeUser in the browser address bar.

03-17-2008, 01:31 AM	#2 (permalink)
DeMo The Contributor Join Date: Jan 2008 Location: Brazil Posts: 77 Thanks: 14	$_REQUEST contains all the data in $_GET, $_POST and $_COOKIES. If you use $_REQUEST to check if some data was passed to your page you don't know if this data is coming from the URL (script.php?variable=value), if it was posted from a form or if it was stored in a cookie. Let's say you store the username in a cookie and then use it to print the username in every page. PHP Code: `if (isset($_REQUEST['user'])) { echo 'Hello ' . $_REQUEST['user']; } else { echo 'Hello Guest!'; }` Since you're using $_REQUEST, I can trick your page into displaying whatever I want just by typing `page.php?user=SomeUser` in the browser address bar.