What happens if you assign a value to $_REQUEST?

Question

I recently came across this line in a PHP script:

$_REQUEST['start_date']=$date;

Is it allowed or useful in any way to assign something to the super global $_REQUEST variable? If there is a $_COOKIE['start_date'] will this change the cookie value?

Yep, assignment is completely valid, though I cant figure out its use — gopi1410, Jun 19 '12 at 08:17
Why not try it and see what happens? That is how you learn to code. — vascowhite, Jun 19 '12 at 08:18
You could do that yeah. Don't know why you would? BTW. You could just try and execute the code ;P — Bono, Jun 19 '12 at 08:19
It could be used to "force" a certain value for later use in the script. Its helpful when debugging scripts, but doesn't seem like great practice, even if only because its confusing. — jedwards, Jun 19 '12 at 08:19
Well, it's another global variable, it's allowed and could be useful. But i do not recommend you to rely much on global variables, as it breaks application encapsulation. — Aurimas Ličkus, Jun 19 '12 at 08:21
@vascowhite I was unsure how $_REQUEST got its values. If it contained links to the $_GET, $_PUT and $_COOKIE variables and not copies of their contents, then assigning a value might give an undefined result and then I don't learn anything from just running the code and inspecting the outcome — Jannie Theunissen, Jun 19 '12 at 09:44
Run test code that monitors them all, this will help you understand better than any answer you get here can. I never understand why some coders seem reluctant/afraid to experiment. — vascowhite, Jun 19 '12 at 14:37
@vascowhite many languages, including PHP (ftell function for example) have undefined results when someone tries something weird. I can run test code that monitors all the possible variables ON MY MACHINE, but not on all operating systems and at all times during the day etc. And like you I can also not understand why some coders are reluctant to experiment :-) — Jannie Theunissen, Jun 19 '12 at 17:48
Good point about undefined results, but that would make the [PHP manual](http://www.php.net/manual) your first resource, which I'm sure it was :) — vascowhite, Jun 19 '12 at 17:57

jedwards · Accepted Answer · 2016-01-24T22:33:43.933

Yes, its allowed and might be helpful for a number of reasons.

Debugging -- If, for some reason you want to "force" a certain request parameter, you can set a value in the $_REQUEST, $_GET, or $_POST arrays. This would override any value sent by the requesting page, which may be desired.
Because you're going to do something with the entire array -- if you want to, for example, json_encode all of the $_REQUEST key-value pairs as well as some additional values, it might be faster to just "add" values to $_REQUEST in this manner, then pass $_REQUEST to json_encode().

Regarding your question about $_COOKIE, no you can't change the value of a cookie that way, only access it.

Note from author: The following example was added as a suggested and approved edit to my original answer. And while it may work, there are better ways to protect your site from injection attacks (e.g. prepared statements). IMHO, a prudent programmer should strongly consider these approaches before relying on the code below.

Think about preventing SQL injection attacks on your website. That simple code will stop them for all $_REQUEST variables (mysqli example):

function injectionwall($dbinterface)
{
    foreach($_REQUEST as $key => $data)
    {
        $_REQUEST[$key]=$dbinterface->real_escape_string($data);
    }
}

All $_REQUEST variables are now safe to use :)

RE: "Note from author" - You're very right to add that warning. I'd actually support removal of that example as it's actually VERY bad practice in so many ways. There must be a safer example (although I'm struggling to think of a useful one). — Robbie, Jun 20 '17 at 23:55

score 3 · Answer 2 · answered Jun 19 '12 at 10:16

I think a more appropriate response is "Yes, it's allowed, but consider it bad practice so avoid for better programming quality".

Why it's allowed (and probably the point of your question):

The SuperGlobals are set at the start of the program execution and then not otherwise changed (unless you do it). So your changes are permanent and easily visible in any other function. So go ahead, edit as you want.

But - why best to avoid:

It's generally good practice to know what your variables are and where they come from. Let's say you have a function that "makes safe" all your inputs by manipulating $_REQUEST. When you come to use $_REQUEST, you can never be sure if your "make safe" function has been run. If doing unit testing, this become especially problematic. If you re-assign the $_REQUEST to another variable, you can track the scope of that variable more easily. Even if you make that other variable a "global" then you know it's safe it it exists. (Downside, you may be wasting memory / programming power for some extremely heavy apps, but you're a long way from that if you're asking this question.)
If you modify $_REQUEST, you are NOT editing $_POST, $_GET or $_COOKIE; this may lead to confusion if you want to change your code to $_POST as some time in the future (e.g. the data you think you've "made safe" won't be).

Finally, two quick notes about using $_REQUEST in general:

$_REQUEST is a combination of $_COOKIE, $_POST and $_GET (and $_FILES in older versions). But you don't know which will take priority unless you read the php.ini file - http://www.php.net/manual/en/ini.core.php#ini.variables-order. So don't rely on $_POST taking priority over $_GET!
Another reason to use $_POST, $_GET or $_COOKIE if you can:- It makes it easier for a future developer to debug your code as they know preceise where you expect the variable to come from. But sometimes it's appropriate for $_REQUEST if you really don't care if the value comes from a cookie, get or post.

Disclaimer: yes, I use $_REQUEST, and yes, I've modified it to get around some situations. Just saying don't if you want to be a better programmer.

score 0 · Answer 3 · answered Jun 19 '12 at 08:19

0

Is it allowed or useful in any way to assign something to the super global $_REQUEST variable?

Yes, it is allowed, but not useful.

If there is a $_COOKIE['start_date'] will this change the cookie value?

No, use setcookie http://php.net/manual/en/function.setcookie.php

All this super global variables just simple global arrays.

answered Jun 19 '12 at 08:19

Sergey

5,208
25
36

4

I completely disagree with the statement that "it's not useful". – jedwards Jun 19 '12 at 08:20
@jedwards He have to use this super global variable with care, because he may rewrite primary data without knowing it. If U use this U have to know how it is works. I think, he didnt' – Sergey Jun 19 '12 at 08:22
In addition to @jedwards' comment, couldn't you use that variable to store something at controller level and retrieve it at view level (given that you give the param name a pretty "unique" name so it doesn't collide with something)? This seems a pretty good example of how it can be useful, am I wrong? – reallynice May 25 '15 at 11:45

What happens if you assign a value to $_REQUEST?

3 Answers3