[SOLVED] Personal Style/Security

[Ninjakreborn]

I have always used the following

$_POST for post variables

$_GET for get variables

$_SESSION for session variables

$_COOKIES for cookie variables

and $_FILES for file variables.

I am not 100% but lately I have noticed I sometimes have 1 defining variable that could be either get/post.  I noticed using $_REQUEST on ones that could be either, is that basically the same thing.  Is it insecure.  For instance id's.  sometimes they are post, sometimes get.

I normally use to do

if (isset($_POST['id'])) {

$id = mysql_real_escape_string($_POST['id']);

}elseif (isset($_GET['id'])) {

$id = mysql_real_escape_string($_GET['id']);

}else {

$id = "no";

}

Basically but the other way things are like

if (isset($_REQUEST['id'])) {

$id = mysql_real_escape_string($_REQUEST['id']);

}else {

$id = "no";

}

Basically just a quick example, I notice that if I have this setup like this, it's a little faster.

Is there something wrong with the request variable.  Mostly for "switch" statements (like a front controller or something), there would be different variables getting passed to the controller (sometimes post/sometimes get) so I was thinking request  would be faster.  Since I have never used it I wanted to check what you thought about it first, and see if there was anything wrong, or insecure about using request.

[taith]

thing about using $_REQUEST... is that it contains both $_POST and $_GET... now... as that seems a good thing... its not always is... a) it can be a huge security hole, if the variables are not properly verified and/or cleaned up... b) if something comes in by the same name through $_POST and $_GET, making $_REQUEST[$name]=array('name1','name2'); which could cause some serious errors...

 

so... $_REQUEST may be helpful, i'd just be really careful with how and where you use em... definatly not for logins

[Ninjakreborn]

That I did not think of, in that scenariou they could pass an array, I have to look into that more, thanks.