This question already has an answer here:
这个问题在这里已有答案:
- What's wrong with using $_REQUEST[]? 14 answers
使用$ _REQUEST []有什么问题? 14个答案
Besides the fact that $_REQUEST reads from cookies, are there any reasons why I should use $_GET and $_POST instead of $_REQUEST? What are theoretical and practical reasons for doing so?
除了$ _REQUEST读取cookie之外,有什么理由说我应该使用$ _GET和$ _POST而不是$ _REQUEST?这样做的理论和实践原因是什么?
7 个解决方案
#1
8
I use $_REQUEST when I just want certain data from the user to return certain data.
当我只想要用户的某些数据返回某些数据时,我使用$ _REQUEST。
Never use $_REQUEST when the request will have side effects. Requests that produce side effects should be POST (for semantic reasons, and also because of basic CSRF stuff, a false img tag can hit any GET endpoint without a user even knowing).
当请求有副作用时,切勿使用$ _REQUEST。产生副作用的请求应该是POST(出于语义原因,并且由于基本的CSRF原因,错误的img标记可以在没有用户知道的情况下命中任何GET端点)。
$_GET should be used when GETing or POSTing to a page will produce different results.
当GETing或POST到页面时会产生$ _GET会产生不同的结果。
#2
8
Besides the fact that $_REQUEST reads from cookies
除了$ _REQUEST从cookie读取的事实
Besides the fact that this is undefined (It's configurable on a per-installation level), the problem using $_REQUEST is that it over-simplifies things. There is (or should be) a semantic difference between a GET request and a POST request. Thus it should matter to your application if you get input from one source or the other. This is how the HTTP protocol is defined, so by ignoring it, you are undermining the protocol, which makes your application less interoperable. It's the same type argument that can be made for using semantic HTML markup, rather than presentation-oriented markup. Or more generally, following the intentions of a protocol rather than just doing whatever works in the concrete situation.
除了这是未定义的事实(它可以在每个安装级别配置),使用$ _REQUEST的问题是它过度简化了事情。 GET请求和POST请求之间存在(或应该)语义差异。因此,如果您从一个源或另一个源获得输入,那么它对您的应用程序很重要。这就是HTTP协议的定义方式,因此通过忽略它,您正在破坏协议,这使您的应用程序可以减少互操作性。它与使用语义HTML标记而不是面向表示的标记可以是相同的类型参数。或者更一般地说,遵循协议的意图而不是仅仅在具体情况下做任何工作。
#3
5
You already gave one of the answers, so I'll give another:
你已经给出了一个答案,所以我会给另一个:
It's more of a stylistic choice. For instance, you don't usually want information that changes state on the server to be cacheable, so you probably want to restrict it to $_POST variables.
这更像是一种风格选择。例如,您通常不希望在服务器上更改状态的信息是可缓存的,因此您可能希望将其限制为$ _POST变量。
#4
4
The usage of $_REQUEST opens some attack vectors to your application where variables could be overwritten where you wouldn't want it to happen.
$ _REQUEST的使用会向您的应用程序打开一些攻击向量,其中变量可能被覆盖,您不希望它发生。
Also consider the order GPC (Get, Post, Cookie) on which the $_REQUEST will get filled.
还要考虑$ _REQUEST将被填充的订单GPC(Get,Post,Cookie)。
i.e. a request with:
即一项请求:
$_GET['foo'] = 'bar'
$_POST['foo'] = 'baz'
will result in
会导致
$_REQUEST['foo'] == 'bar'
$ _REQUEST ['foo'] =='bar'
#5
2
the often-mentioned insecurity of $_REQUEST is bogus. all these are ways to get data from the user, which has a non-secured machine. you always have to sanitise the input, so there's no real security advantage from using either one.
经常提到的$ _REQUEST的不安全感是假的。所有这些都是从用户获取数据的方法,用户拥有非安全机器。你总是需要对输入进行消毒,因此使用任何一个都没有真正的安全优势。
it's only significant if you have different uses for values with the same name on different channels. in that case, you should rename some of them anyway.
如果您对不同渠道上具有相同名称的值有不同的用途,那么它才有意义。在这种情况下,你应该重命名其中一些。
#6
2
HTTP GET is semantically meant to be used to fetch a page, while POST can be argued that when used, you'd expect that some kind of state is changed.
HTTP GET在语义上用于获取页面,而POST可以说在使用时,您会期望某种状态发生变化。
For example, there's an expectation that using GET with the same parameters multiple times yield the same results, while using POST, they may not.
例如,期望多次使用具有相同参数的GET产生相同的结果,而使用POST时,它们可能不会。
Not using POST when you should yield to problems. I think the Ruby on Rails AJAX libraries used GET instead of POST, and lead to a lot of data being lost when being touched upon by web spiders.
当你遇到问题时不使用POST。我认为Ruby on Rails AJAX库使用GET而不是POST,并且当被Web蜘蛛触及时会导致大量数据丢失。
Hence, you should probably avoid using $_REQUEST. You should know the purposes of what the page does, and decide on how to answer a GET request, and how to answer a POST request.
因此,您应该避免使用$ _REQUEST。您应该知道页面的用途,并决定如何回答GET请求,以及如何回答POST请求。
#7
0
Here's one I've just found: When and why should $_REQUEST be used instead of $_GET / $_POST / $_COOKIE?. I'm sorry I didn't find it sooner, so I wouldn't have asked the question...
这是我刚发现的一个:何时以及为什么要使用$ _REQUEST而不是$ _GET / $ _POST / $ _COOKIE?对不起,我没有早点找到,所以我不会问这个问题......
#1
8
I use $_REQUEST when I just want certain data from the user to return certain data.
当我只想要用户的某些数据返回某些数据时,我使用$ _REQUEST。
Never use $_REQUEST when the request will have side effects. Requests that produce side effects should be POST (for semantic reasons, and also because of basic CSRF stuff, a false img tag can hit any GET endpoint without a user even knowing).
当请求有副作用时,切勿使用$ _REQUEST。产生副作用的请求应该是POST(出于语义原因,并且由于基本的CSRF原因,错误的img标记可以在没有用户知道的情况下命中任何GET端点)。
$_GET should be used when GETing or POSTing to a page will produce different results.
当GETing或POST到页面时会产生$ _GET会产生不同的结果。
#2
8
Besides the fact that $_REQUEST reads from cookies
除了$ _REQUEST从cookie读取的事实
Besides the fact that this is undefined (It's configurable on a per-installation level), the problem using $_REQUEST is that it over-simplifies things. There is (or should be) a semantic difference between a GET request and a POST request. Thus it should matter to your application if you get input from one source or the other. This is how the HTTP protocol is defined, so by ignoring it, you are undermining the protocol, which makes your application less interoperable. It's the same type argument that can be made for using semantic HTML markup, rather than presentation-oriented markup. Or more generally, following the intentions of a protocol rather than just doing whatever works in the concrete situation.
除了这是未定义的事实(它可以在每个安装级别配置),使用$ _REQUEST的问题是它过度简化了事情。 GET请求和POST请求之间存在(或应该)语义差异。因此,如果您从一个源或另一个源获得输入,那么它对您的应用程序很重要。这就是HTTP协议的定义方式,因此通过忽略它,您正在破坏协议,这使您的应用程序可以减少互操作性。它与使用语义HTML标记而不是面向表示的标记可以是相同的类型参数。或者更一般地说,遵循协议的意图而不是仅仅在具体情况下做任何工作。
#3
5
You already gave one of the answers, so I'll give another:
你已经给出了一个答案,所以我会给另一个:
It's more of a stylistic choice. For instance, you don't usually want information that changes state on the server to be cacheable, so you probably want to restrict it to $_POST variables.
这更像是一种风格选择。例如,您通常不希望在服务器上更改状态的信息是可缓存的,因此您可能希望将其限制为$ _POST变量。
#4
4
The usage of $_REQUEST opens some attack vectors to your application where variables could be overwritten where you wouldn't want it to happen.
$ _REQUEST的使用会向您的应用程序打开一些攻击向量,其中变量可能被覆盖,您不希望它发生。
Also consider the order GPC (Get, Post, Cookie) on which the $_REQUEST will get filled.
还要考虑$ _REQUEST将被填充的订单GPC(Get,Post,Cookie)。
i.e. a request with:
即一项请求:
$_GET['foo'] = 'bar'
$_POST['foo'] = 'baz'
will result in
会导致
$_REQUEST['foo'] == 'bar'
$ _REQUEST ['foo'] =='bar'
#5
2
the often-mentioned insecurity of $_REQUEST is bogus. all these are ways to get data from the user, which has a non-secured machine. you always have to sanitise the input, so there's no real security advantage from using either one.
经常提到的$ _REQUEST的不安全感是假的。所有这些都是从用户获取数据的方法,用户拥有非安全机器。你总是需要对输入进行消毒,因此使用任何一个都没有真正的安全优势。
it's only significant if you have different uses for values with the same name on different channels. in that case, you should rename some of them anyway.
如果您对不同渠道上具有相同名称的值有不同的用途,那么它才有意义。在这种情况下,你应该重命名其中一些。
#6
2
HTTP GET is semantically meant to be used to fetch a page, while POST can be argued that when used, you'd expect that some kind of state is changed.
HTTP GET在语义上用于获取页面,而POST可以说在使用时,您会期望某种状态发生变化。
For example, there's an expectation that using GET with the same parameters multiple times yield the same results, while using POST, they may not.
例如,期望多次使用具有相同参数的GET产生相同的结果,而使用POST时,它们可能不会。
Not using POST when you should yield to problems. I think the Ruby on Rails AJAX libraries used GET instead of POST, and lead to a lot of data being lost when being touched upon by web spiders.
当你遇到问题时不使用POST。我认为Ruby on Rails AJAX库使用GET而不是POST,并且当被Web蜘蛛触及时会导致大量数据丢失。
Hence, you should probably avoid using $_REQUEST. You should know the purposes of what the page does, and decide on how to answer a GET request, and how to answer a POST request.
因此,您应该避免使用$ _REQUEST。您应该知道页面的用途,并决定如何回答GET请求,以及如何回答POST请求。
#7
0
Here's one I've just found: When and why should $_REQUEST be used instead of $_GET / $_POST / $_COOKIE?. I'm sorry I didn't find it sooner, so I wouldn't have asked the question...
这是我刚发现的一个:何时以及为什么要使用$ _REQUEST而不是$ _GET / $ _POST / $ _COOKIE?对不起,我没有早点找到,所以我不会问这个问题......