178  

There's absolutely nothing wrong with taking input from both $_GET and $_POST in a combined way. In fact that's what you almost always want to do:

以组合的方式从$_GET和$_POST获取输入绝对没有错。事实上，这就是你一直想做的:

• for a plain idempotent request usually submitted via GET, there's the possibility the amount of data you want won't fit in a URL so it has be mutated to a POST request instead as a practical matter.

  对于通常通过GET提交的普通幂等请求，可能您想要的数据量不适合URL，因此它已经被修改为POST请求。

• for a request that has a real effect, you have to check that it's submitted by the POST method. But the way to do that is to check $_SERVER['REQUEST_METHOD'] explicitly, not rely on $_POST being empty for a GET. And anyway if the method is POST, you still might want to take some query parameters out of the URL.

  对于具有实际效果的请求，您必须检查POST方法是否提交了它。但是实现这一点的方法是显式地检查$_SERVER['REQUEST_METHOD']，而不是依赖$_POST为空获取。不管怎样，如果方法是POST，你可能仍然想从URL中取出一些查询参数。

No, the problem with $_REQUEST is nothing to do with conflating GET and POST parameters. It's that it also, by default, includes $_COOKIE. And cookies really aren't like form submission parameters at all: you almost never want to treat them as the same thing.

不，$_REQUEST的问题与GET和POST参数的合并无关。默认情况下，它还包含$_COOKIE。而且cookie根本不像表单提交参数:你几乎从来都不想把它们当作一回事。

If you accidentally get a cookie set on your site with the same name as one of your form parameters, then the forms that rely on that parameter will mysteriously stop working properly due to cookie values overriding the expected parameters. This is very easy to do if you have multiple apps on the same site, and can be very hard to debug when you have just a couple of users with old cookies you don't use any more hanging around and breaking the forms in ways no-one else can reproduce.

如果您不小心在您的站点上设置了一个与您的表单参数相同的cookie，那么依赖该参数的表单将神秘地停止正常工作，因为cookie值覆盖了预期的参数。如果您在同一个站点上有多个应用程序，这是非常容易做到的，而且当您只有几个拥有旧cookie的用户时，您就很难调试了，您将不再使用这些旧cookie并以其他任何人都无法复制的方式破坏表单。

You can change this behaviour to the much more sensible GP (no C) order with the request_order config in PHP 5.3. Where this is not possible, I personally would avoid $_REQUEST and, if I needed a combined GET+POST array, create it manually.

您可以使用PHP 5.3中的request_order配置将这种行为更改为更合理的GP(无C)顺序。如果这是不可能的，我个人会避免$_REQUEST，如果我需要一个联合的GET+POST数组，就手动创建它。

68  

I've been digging through some newsgroup posts on PHP Internals and found an interesting discussion about the topic. The initial thread was about something else, but a remark by Stefan Esser, a (if not the) security expert in the PHP world turned the discussion towards the security implications of using $_REQUEST for a few posts.

我一直在浏览一些关于PHP内部内容的新闻组文章，并发现了关于这个主题的有趣讨论。最初的线程是关于其他东西的，但是PHP领域的安全专家Stefan Esser(如果不是的话)的评论将讨论的焦点转向了在几个帖子中使用$_REQUEST的安全性问题。

Citing Stefan Esser on PHP Internals

在PHP内部引用Stefan Esser。

$_REQUEST is one of the biggest design weaknesses in PHP. Every application using $_REQUEST is most probably vulnerable to Delayed Cross Site Request Forgery problems. (This basically means if e.g. a cookie named (age) exists it will always overwrite the GET/POST content and therefore unwanted requests will be performed)

$_REQUEST是PHP中最大的设计缺陷之一。每个使用$_REQUEST的应用程序都很可能容易受到延迟跨站点请求伪造问题的影响。(这基本上意味着如果存在一个名为(age)的cookie，它将总是覆盖GET/POST内容，因此将执行不需要的请求)

and in a later reply to the same thread

并在稍后的回复中回复相同的线程

It is not about the fact that someone can forge GET, POST; COOKIE variables. It is about the fact that COOKIEs will overwrite GET and POST data in REQUEST.

它不是关于一个人可以伪造得到，张贴的事实;饼干变量。cookie会覆盖GET和POST请求中的数据。

Therefore I could infect your browser with a cookie that says e.g. action=logout and from that day on you cannot use the application anymore because REQUEST[action] will be logout forever (until you manually delete the cookie).

因此，我可以用一个cookie感染您的浏览器，这个cookie说，例如action=logout，从那天开始，您就不能再使用这个应用程序了，因为请求[action]将永远被注销(直到您手动删除这个cookie)。

And to infect you with a COOKIE is so simple...
a) I could use an XSS vuln in any application on a subdomain
b) Ever tried setting a cookie for *.co.uk or *.co.kr when you own a single domain there?
c) Other cross domain whatever ways...

用饼干感染你很简单……a)我可以在任何子域上的应用程序中使用XSS vuln; b)曾经尝试过为*.co设置cookie。当你拥有一个域名的时候，你是英国还是*.co.kr ?c)其他交叉域，无论如何……

And if you believe that this is not an issue then I can tell you that there is a simple possibility to set f.e. a *.co.kr cookie that results in several PHP versions just returning white pages. Imagine: Just a single cookie to kill all PHP pages in *.co.kr

如果您认为这不是问题，那么我可以告诉您，有一种简单的可能性来设置f.e.a *.co.kr cookie，它会产生几个PHP版本，只是返回一些空白页面。想象一下:只需一个cookie就可以杀死*.co.kr中的所有PHP页面

And by setting an illegal session ID in a cookie valid for *.co.kr in a variable called +PHPSESSID=illegal you can still DOS every PHP application in korea using PHP sessions...

通过在一个对*.co.kr有效的cookie中设置非法会话ID，在一个名为+PHPSESSID=illegal的变量中，您仍然可以使用PHP会话来访问韩国的每个PHP应用程序……

The discussion continues for a few more postings and is interesting to read.

讨论还在继续，还有一些帖子值得一读。

As you can see, the main problem with $_REQUEST is not so much that it has data from $_GET and $_POST, but also from $_COOKIE. Some other guys on the list suggested changing the order in which $_REQUEST is filled, e.g. filling it with $_COOKIE first, but this could lead to numerous other potential problems, for instance with Session handling.

如您所见，$_REQUEST的主要问题不是它有$_GET和$_POST的数据，而是$_COOKIE的数据。列表上的其他一些人建议更改$_REQUEST填充的顺序，例如先填充$_COOKIE，但是这可能会导致许多其他潜在的问题，例如会话处理。

You could completely omit $_COOKIES from the $_REQUEST global though, so that it is not overwritten by any of the other arrays (in fact, you can limit it to any combination of it's standard contents, like the PHP manual on the variable_order ini setting tells us:

您可以完全忽略$_REQUEST全局变量中的$_COOKIES，这样它就不会被其他数组覆盖(实际上，您可以将其限制为其标准内容的任何组合，比如variable_order ini设置上的PHP手册告诉我们:

variable_order Sets the order of the EGPCS (Environment, Get, Post, Cookie, and Server) variable parsing. For example, if variables_order is set to "SP" then PHP will create the superglobals $_SERVER and $_POST, but not create $_ENV, $_GET, and $_COOKIE. Setting to "" means no superglobals will be set.

variable_order设置了EGPCS(环境、Get、Post、Cookie和Server)变量解析的顺序。例如，如果variables_order设置为“SP”，那么PHP将创建superglobals $_SERVER和$_POST，但不创建$_ENV、$_GET和$_COOKIE。设置为“”意味着不会设置超球。

But then again, you might also consider not using $_REQUEST altogether, simply because in PHP you can access Environment, Get, Post, Cookie, and Server in their own globals and have one attack vector less. You still have to sanitize this data, but it's one less thing to worry about.

但是，同样，您也可以考虑不使用$_REQUEST，因为在PHP中，您可以访问环境、Get、Post、Cookie和服务器，并且减少一个攻击向量。你仍然需要对这些数据进行消毒，但这是一件不用担心的事情。

Now you might wonder, why does $_REQUEST exists after all and why it is not removed. This was asked on PHP Internals as well. Citing Rasmus Lerdorf about Why does $_REQUEST exist? on PHP Internals

现在您可能想知道，为什么$_REQUEST存在，为什么不删除它。这也是PHP内部的问题。引用Rasmus Lerdorf的例子，为什么会有$_REQUEST ?在PHP内部

The more stuff like this we remove, the harder it becomes for people to quickly move to newer, faster and more secure versions of PHP. That causes way more frustration for everyone than a few "ugly" legacy features. If there is a decent technical reason, performance or security, then we need to take a hard look at it. In this case, the thing we should be looking at isn't whether we should remove $_REQUEST but whether we should remove cookie data from it. Many configurations already do that, including all of my own, and there is a strong valid security reason for not including cookies in $_REQUEST. Most people use $_REQUEST to mean GET or POST, not realizing that it could also contain cookies and as such bad guys could potentially do some cookie injection tricks and break naive applications.

我们删除的内容越多，人们就越难快速地迁移到更新、更快和更安全的PHP版本。这比一些“丑陋”的遗留特性更让每个人沮丧。如果有合适的技术原因、性能或安全性，那么我们需要认真考虑。在这种情况下，我们应该关注的不是是否应该删除$_REQUEST，而是是否应该删除它的cookie数据。许多配置已经这样做了，包括所有我自己的配置，并且有一个强大的有效的安全原因，不包括$_REQUEST中的cookie。大多数人使用$_REQUEST来表示GET或POST，而没有意识到它也可能包含cookie，因此这些坏家伙可能会做一些cookie注入技巧并破坏幼稚的应用程序。

Anyway, hope that shed some light.

无论如何，希望这能给我们一些启示。

10  

$_REQUEST refers to all sorts of requests (GET, POST etc..). This is sometimes useful, but is usually better to specify the exact method ($_GET, $_POST etc).

$_REQUEST是指各种请求(GET、POST等)。这有时是有用的，但是最好指定确切的方法($_GET、$_POST等)。

8  

$_REQUEST is generally considered harmful for the same reason that simple-to-medium-complexity data-transformations are often performed in the application code instead of declared in SQL: some programmers suck.

$_REQUEST通常被认为是有害的，原因与简单到中等复杂的数据转换通常在应用程序代码中执行，而不是在SQL中声明:有些程序员很糟糕。

As such, if one tends to use $_REQUEST everywhere, I can do anything via GET that I could via POST, which means setting up <img> tags on my (malicious) site that cause users logged into your e-commerce module to purchase products silently, or I can cause them to click on links that will result in dangerous actions or the revelation of sensitive information (probably to me).

同样地,如果一个人倾向于使用$ _REQUEST无处不在,我可以做任何事通过,我可以通过,这意味着设置< img >标记在我的恶意网站,导致用户登录到您的电子商务模块静静地购买产品,或者我可以让他们点击链接将导致危险的动作或敏感信息的启示(可能是我)。

However, this is because of a novice, or at least inexperienced, PHP programmer making simple mistakes. First off, know when data of what type is appropriate. For example, I have a web service which can return responses in URLEncoding, XML or JSON. The application decides how to format the response by checking the HTTP_ACCEPT header, but can be coerced into one specifically by sending the format parameter.

但是，这是因为PHP程序员犯了简单的错误，或者至少是缺乏经验。首先，了解什么类型的数据是合适的。例如，我有一个web服务，可以在URLEncoding、XML或JSON中返回响应。应用程序通过检查HTTP_ACCEPT标头来决定如何格式化响应，但是可以通过发送format参数强制将其转换为一个特定的标头。

When checking the content of the format parameter, it could be sent via querystring or a postdata, depending on a multitude of factors, not the least of which being whether or not the calling applications wants "&format=json" mixed in with its request. In this case, $_REQUEST is very convenient because it saves me having to type something like this:

在检查格式参数的内容时，它可以通过querystring或postdata发送，这取决于许多因素，其中最重要的是调用应用程序是否希望将“&format=json”与其请求混合。在这种情况下，$_REQUEST非常方便，因为它使我不必输入如下内容:

$format = isset($_POST['format']) ? $_POST['format'] 
    : (isset($_GET['format']) ? $_GET['format'] : null);

I'm not going to ramble on much further, but suffice to say that $_REQUEST usage is not dissuaded because it is inherently dangerous - it's just another tool that does exactly what is asked of it, whether you understand those implications or not - it is the poor, lazy or uninformed decision of a poor, lazy or inexperienced programmer that causes this problem.

我不打算进一步漫游,但足以说$ _REQUEST用法不劝阻,因为它本质上是危险的——只是另一种工具,究竟什么是问,不管你是否理解这些影响——这是穷人,懒惰或无知的决定一个贫穷、懒惰或缺乏经验的程序员会导致这个问题。

How to use $_REQUEST safely

1. Know your data: You should have some expectation as to what kind of data you will get, so sanitize it accordingly. Data for a database? addslashes() or *_escape_string(). Going to show it back to the user? htmlentities() or htmlspecialchars(). Expecting numerical data? is_numeric() or ctype_digit(). In fact, filter_input() and its related functions are designed to do nothing but check and sanitize data. Use these tools, always.
2. 了解您的数据:您应该对您将获得的数据类型有一些预期，因此要对其进行相应的清理。数据库的数据吗?* _escape_string addslashes()或()。要把它展示给用户吗?htmlentities()或htmlspecialchars函数()。期待数字数据?is_numeric()或ctype_digit()。事实上，filter_input()及其相关函数被设计成除了检查和清理数据之外什么都不做。使用这些工具,总是。
3. Don't access user-supplied superglobals data directly. Make a habit of sanitizing your data, every time, and move your data to clean variables, even if it's just $post_clean. Alternatively, you can just clean directly in the superglobals, but the reason I advocate using a separate variable is because doing so makes it easy to spot vulnerabilities in code, as anything pointing directly to a superglobal and not its sanitized equivalent is considered a dangerous error.
4. 不要直接访问用户提供的超全局数据。养成每次都对数据进行清理的习惯，并将数据移动到清理变量，即使它只是$post_clean。或者，您可以直接在超级全局变量中进行清理，但是我提倡使用单独的变量的原因是，这样做可以很容易地发现代码中的漏洞，因为任何直接指向超全局变量而不是它的经过清理的等价变量都被认为是一个危险的错误。
5. Know where you data should be coming from. Referencing my example from above, it is perfectly reasonable to allow the response format variable to be sent via GET or POST. I also allow the "action" variable to be sent via either method. However, the actions themselves have very specific requirements as to which HTTP Verb is acceptable. Functions, for example, that make changes to data used by the service may only be sent via POST. Requests for certain types of non- or low-privilege data (such as dynamically generated map images) may be served in response to requests from either method.
6. 知道你的数据应该来自哪里。从上面引用我的示例，允许通过GET或POST发送响应格式变量是完全合理的。我还允许通过任何一种方法发送“action”变量。然而，这些操作本身对哪些HTTP谓词是可接受的有非常明确的要求。例如，对服务使用的数据进行更改的函数只能通过POST发送。对于某些类型的非或低权限数据(如动态生成的映射图像)的请求，可能会响应来自任一方法的请求。

In conclusion, remember this simple rule:

总之，记住这个简单的规则:

SECURITY IS WHAT YOU MAKE IT, PEOPLE!

EDIT:

I strongly recommend bobince's advice: if you can, set the request_order parameter in php.ini to "GP"; that is, no cookie component. There is almost no rational reasoning for this in 98%+ of cases, as cookie data should almost never be considered comparable to the querystring or to postdata.

我强烈推荐bobince的建议:如果可以，在php中设置request_order参数。ini“全科医生”;也就是说，没有cookie组件。在98%以上的情况下，几乎没有合理的推理，因为几乎不应该认为cookie数据可以与querystring或postdata进行比较。

P.S., Anecdote!

注:,轶事!

I knew a programmer who thought of $_REQUEST a place to simply store data that was accessible in a superglobal way. Important usernames and passwords, paths to files, you name it and it was stored in $_REQUEST. He was a bit surprised (although not comically so, unfortunately) when I told him how that variable behaves. Needless to say, that practice has been deposed.

我认识一个程序员，他想到了$_REQUEST，一个简单的存储数据的地方，以超全局方式访问。重要的用户名和密码，文件路径，你命名它，它存储在$_REQUEST中。当我告诉他这个变量是如何运行的时候，他有点惊讶(虽然不是很滑稽，但很不幸)。不用说，这种做法已经被废除了。

8  

GET requests should be idempotent and POST requests are generally not. This means that data in $_GET and $_POST should generally be used in different ways.

GET请求应该是幂等的，POST请求通常不是。这意味着$_GET和$_POST中的数据通常应该以不同的方式使用。

If your application is using data from $_REQUEST, it will behave the same for both GET and POST requests, which violates the idempotence of GET.

如果您的应用程序使用来自$_REQUEST的数据，那么它对GET和POST请求的行为都是相同的，这违背了GET的幂等性。

7  

It's vague. You don't really know how the data got to you since it carries post, get, and cookie data. I don't necessarily think that is always a bad thing, unless you need to know or restrict the method of delivery.

它是模糊的。由于数据包含post、get和cookie数据，所以您并不知道数据是如何到达您的。我不认为这总是坏事，除非你需要知道或限制交货方式。

3  

I actually like using it. It gives you the flexibility to use GET or POST which can come in handy for things like search forms where most of the time data is POSTed, but sometimes you'll want to say link to a particular search, so you can use GET parameters instead.

我喜欢用它。它提供了使用GET或POST的灵活性，这对于搜索表单(大多数时间数据都是在那里发布的)很有用，但有时您可能想说链接到特定的搜索，因此您可以使用GET参数。

Also, if you look at many other languages (ASP.NET for example) they make no distinction between GET and POST variables at all.

此外，如果您查看其他许多语言(ASP)。例如，他们对GET和POST变量之间没有区别。

ETA:

埃塔:

I've never used REQUEST to get COOKIE values, but I think Kyle Butt makes a great point in the comments on this post about that. It is NOT a good idea to use REQUEST for getting COOKIE values. I believe he is right that there is some real potential for cross-site request forgery if you do that.

我从来没有使用请求来获取COOKIE值，但是我认为Kyle Butt在这篇文章的评论中提出了一个很好的观点。使用请求获取COOKIE值不是一个好主意。我相信他是对的，如果你这么做的话，跨站点请求伪造是有一定潜力的。

Also, the order in which stuff gets loaded into REQUEST is controlled by configuration parameters in php.ini (variables_order and request_order). So, if you have the same variable passed in via both POST and GET, which one actually gets into REQUEST depends on those ini settings. This could affect portability if you depend on a particular order and those settings are configured differently than you expect them to be.

此外，将内容加载到请求中的顺序是由php中的配置参数控制的。ini(variables_order和request_order)。所以，如果你有相同的变量通过POST和GET传入，哪个会进入请求取决于ini设置。这可能会影响可移植性，如果您依赖于特定的顺序，并且这些设置的配置方式与您期望的不同。

2  

It's important to understand when to use POST, when to use GET and when to use a cookie. With $_REQUEST, the value you're looking at could have come from any of them. If you expect to get the value from a POST or a GET or from a COOKIE, it's more informative to someone reading your code to use the specific variable instead of $_REQUEST.

理解何时使用POST、何时使用GET和何时使用cookie是很重要的。使用$_REQUEST，您所查看的值可以来自其中任何一个。如果您希望从POST、get或COOKIE中获取值，那么对于阅读您的代码的人来说，使用特定的变量而不是$_REQUEST会更加有用。

Someone else pointed out also that you don't want to all POST's or cookies to be overridden by GETs because there are different cross-site rules for all of them, for instance, if you return ajax data while using $_REQUEST, you are vulnerable to a cross site script attack.

还有人指出，您不希望所有POST或cookie都被get所覆盖，因为它们都有不同的跨站点规则，例如，如果您在使用$_REQUEST时返回ajax数据，那么很容易受到跨站点脚本攻击。

2  

The only time using $_REQUEST is not a bad idea is with GET.

使用$_REQUEST的惟一时机是使用GET。

• If you use it to load POST values, you risk cross-site request forgeries
• 如果您使用它来加载POST值，您将面临跨站点请求伪造的风险
• If you use it to load cookie values, you again risk cross-site request forgeries
• 如果您使用它来加载cookie值，您将再次面临跨站点请求伪造的风险。

And even with GET, $_GET is shorter to type than $_REQUEST ;)

即使有了GET， $_GET的类型也比$_REQUEST更短;

0  

I might be used only if you want to retrieve the current url or hostname, but for actually parsing data from that URL such as parmeters using the & symbol it's probably not a good idea. In general, you don't want to use a vague description of what you are trying to do. If you need to be specific that's where $_REQUEST is bad, if you don't need to be specific then feel free to use it. I would think.

我可能只在您想要检索当前url或主机名时才会使用，但对于实际解析来自该url的数据，例如使用&符号的parmeter，这可能不是一个好主意。一般来说，你不想对你要做的事情做一个模糊的描述。如果您需要特别说明$_REQUEST的缺点，如果您不需要特别说明，那么可以使用它。我认为。

0  

If you know what data you want, you should explicitly ask for it. IMO, GET and POST are two different animals and I can't think of a good reason why you would ever need to mix post data and query strings. If anyone has one, I'd be interested.

如果您知道需要什么数据，您应该明确地询问它。IMO, GET和POST是两个不同的动物，我想不出一个很好的理由来解释为什么你需要混合POST数据和查询字符串。如果有人有的话，我很感兴趣。

It can be convenient to use $_REQUEST when your scripts might respond to either GET or POST in the same manner. I would argue though that this should be an extremely rare case, and in most instances two separate functions to handle two separate concepts, or at the very least checking the method and selecting the correct variables, is preferred. Program flow is usually a lot easier to follow when it's not necessary to cross reference where the variables might be coming from. Be kind to the person who has to maintain your code in 6 months time. It might be you.

当脚本可能以相同的方式响应GET或POST时，使用$_REQUEST是很方便的。我认为这应该是一种非常罕见的情况，在大多数情况下，处理两个独立概念的两个独立函数，或者至少检查方法并选择正确的变量是首选的。当不需要交叉引用变量的来源时，程序流通常更容易遵循。对需要在6个月内维护代码的人要友善。它可能是你。

In addition to the security problems and WTFs caused by cookies and environment variables in the REQUEST variable (don't get me started on GLOBAL), consider what might happen in the future if PHP started natively supporting other methods such as PUT and DELETE. While it's extremely unlikely that these would be merged into the REQUEST superglobal, it's possible they could be included as on option in the variable_order setting. So you really have no idea whatsoever what REQUEST holds, and what is taking precedence, particularly if your code is deployed on a third-party server.

除了由请求变量中的cookie和环境变量引起的安全问题和WTFs(不要让我开始使用全局变量)之外，考虑一下如果PHP开始支持其他方法(如PUT和DELETE)，将来可能会发生什么。虽然它们不太可能被合并到请求超全局变量中，但是它们可以作为on选项包含在variable_order设置中。因此，您确实不知道哪个请求包含了什么，以及优先级是什么，特别是如果您的代码部署在第三方服务器上。

Is POST safer than GET? Not really. It's better to use GET where practical because it's easier to see in your logs how your application is being exploited when it gets attacked. POST is better for operations that affect domain state because spiders generally don't follow them, and predictive fetching mechanisms won't delete all your content when you log into your CMS. However, the question was not about the merits of GET vs POST, it was about how the receiver should treat the incoming data and why it's bad to merge it, so this is really just a BTW.

POST比GET更安全吗?不是真的。最好在实际的地方使用GET，因为在日志中更容易看到应用程序在受到攻击时是如何被利用的。POST更适合于影响域状态的操作，因为爬行器通常不会跟踪它们，而且当您登录到CMS时，预测性抓取机制不会删除所有内容。然而，问题不是关于GET vs POST的优点，而是关于接收方应该如何对待传入的数据，以及为什么合并它是不好的，所以这实际上只是一个BTW。

0  

I think there is no problem with $_REQUEST, but we must be careful when using it since it is a collection of variables from 3 sources (GPC).

我认为$_REQUEST没有问题，但是在使用它时我们必须小心，因为它是从三个源(GPC)的变量集合。

I guess $_REQUEST is still available to make old programs compatible with new php versions, but if we start new projects (including new libraries) I think we should not use $_REQUEST anymore to make the programs clearer. We should even consider deleting uses of $_REQUEST and replacing it with a wrapper function to make the program lighter, especially in processing large submitted text data, since $_REQUEST contains copies of $_POST.

我想$_REQUEST仍然可以使旧的程序与新的php版本兼容，但是如果我们开始新的项目(包括新的库)，我认为我们不应该再使用$_REQUEST来使程序更清晰。我们甚至应该考虑删除使用$_REQUEST并将其替换为一个包装器函数，以使程序更轻，特别是在处理大量提交的文本数据时，因为$_REQUEST包含$_POST的副本。

// delete $_REQUEST when program execute, the program would be lighter 
// when large text submitted
unset($_REQUEST);

// wrapper function to get request var
function GetRequest($key, $default = null, $source = '') 
{
  if ($source == 'get') {
    if (isset($_GET[$key])) { 
      return $_GET[$key]; 
    } else { 
      return $default; 
    }
  } else if ($source == 'post') {
    if (isset($_POST[$key])) { 
      return $_POST[$key]; 
    } else { 
      return $default; 
    }
  } else if ($source == 'cookie') {
    if (isset($_COOKIE[$key])) { 
      return $_COOKIE[$key]; 
    } else { 
      return $default; 
    }
  } else {
    // no source specified, then find in GPC
    if (isset($_GET[$key])) {
      return $_GET[$key];     
    } else if (isset($_POST[$key])) {
      return $_POST[$key]; 
    } else if (isset($_COOKIE[$key])) {
      return $_COOKIE[$key]; 
    } else {
      return $default; 
    } 
  }
}

0  

Darren Cook: "Since php 5.3 the default php.ini says only GET and POST data are put into $_REQUEST. See php.net/request_order I just stumbled on this backwards-compatibility break when expecting cookie data to be in $_REQUEST and wondering why it wasn't working!"

Darren Cook:“因为php 5.3是默认的php。ini说只有GET和POST数据被放入$_REQUEST中。请参见php.net/request_order，我刚才无意中发现了这个向后兼容的中断，因为我希望cookie数据在$_REQUEST中，并且奇怪为什么它不能工作!

Wow... just had some of my scripts stop working because of an upgrade to PHP 5.3. Did the same thing: assume that cookies would be set when using the $_REQUEST variable. With the upgrade exactly that stopped working.

哇……我的一些脚本因为升级到PHP 5.3而停止工作。做了同样的事情:假设在使用$_REQUEST变量时将设置cookie。随着升级，这一切都停止了。

I now call cookie values separately using $_COOKIE["Cookie_name"]...

我现在使用$_COOKIE["Cookie_name"]单独调用cookie值……

-2  

It's very insecure. Also it's awkward since you don't know if you're getting a POST or a GET, or another request. You really should know the difference between them when designing your applications. GET is very insecure as it's passed in the URL and is not suitable for almost anything besides page navigation. POST, while not safe by itself either, provides one level of safetey.

这是非常没有安全感。也很尴尬，因为你不知道你是否得到了一个职位或一个GET，或者另一个请求。在设计应用程序时，您确实应该知道它们之间的区别。GET非常不安全，因为它是在URL中传递的，除了页面导航之外，它几乎不适合任何东西。POST虽然本身也不安全，但它提供了一个安全级别。