What happens if you assign a value to $_REQUEST?

Question

I recently came across this line in a PHP script:

$_REQUEST['start_date']=$date;

Is it allowed or useful in any way to assign something to the super global $_REQUEST variable? If there is a $_COOKIE['start_date'] will this change the cookie value?

Answer 1

Yes, its allowed and might be helpful for a number of reasons.

• Debugging -- If, for some reason you want to "force" a certain request parameter, you can set a value in the $_REQUEST, $_GET, or $_POST arrays. This would override any value sent by the requesting page, which may be desired.
• Because you're going to do something with the entire array -- if you want to, for example, json_encode all of the $_REQUEST key-value pairs as well as some additional values, it might be faster to just "add" values to $_REQUEST in this manner, then pass $_REQUEST to json_encode().

Regarding your question about $_COOKIE, no you can't change the value of a cookie that way, only access it.

Note from author: The following example was added as a suggested and approved edit to my original answer. And while it may work, there are better ways to protect your site from injection attacks (e.g. prepared statements). IMHO, a prudent programmer should strongly consider these approaches before relying on the code below.

Think about preventing SQL injection attacks on your website. That simple code will stop them for all $_REQUEST variables (mysqli example):

function injectionwall($dbinterface)
{
    foreach($_REQUEST as $key => $data)
    {
        $_REQUEST[$key]=$dbinterface->real_escape_string($data);
    }
}

All $_REQUEST variables are now safe to use :)

Answer 2

I think a more appropriate response is "Yes, it's allowed, but consider it bad practice so avoid for better programming quality".

Why it's allowed (and probably the point of your question):

• The SuperGlobals are set at the start of the program execution and then not otherwise changed (unless you do it). So your changes are permanent and easily visible in any other function. So go ahead, edit as you want.

But - why best to avoid:

• It's generally good practice to know what your variables are and where they come from. Let's say you have a function that "makes safe" all your inputs by manipulating $_REQUEST. When you come to use $_REQUEST, you can never be sure if your "make safe" function has been run. If doing unit testing, this become especially problematic. If you re-assign the $_REQUEST to another variable, you can track the scope of that variable more easily. Even if you make that other variable a "global" then you know it's safe it it exists. (Downside, you may be wasting memory / programming power for some extremely heavy apps, but you're a long way from that if you're asking this question.)

• If you modify $_REQUEST, you are NOT editing $_POST, $_GET or $_COOKIE; this may lead to confusion if you want to change your code to $_POST as some time in the future (e.g. the data you think you've "made safe" won't be).

Finally, two quick notes about using $_REQUEST in general:

• $_REQUEST is a combination of $_COOKIE, $_POST and $_GET (and $_FILES in older versions). But you don't know which will take priority unless you read the php.ini file - http://www.php.net/manual/en/ini.core.php#ini.variables-order. So don't rely on $_POST taking priority over $_GET!

• Another reason to use $_POST, $_GET or $_COOKIE if you can:- It makes it easier for a future developer to debug your code as they know preceise where you expect the variable to come from. But sometimes it's appropriate for $_REQUEST if you really don't care if the value comes from a cookie, get or post.

Disclaimer: yes, I use $_REQUEST, and yes, I've modified it to get around some situations. Just saying don't if you want to be a better programmer.