When we process submit form, how to accept the input request? We have 3 choices: $_REQUEST, $_GET, $_POST. What’s the difference between $_REQUEST and the other 2 ?

$_REQUEST contains: $_GET, $_POST request, as well as $_COOKIE variables.

The following is a real case which occurs bugs, For the html form:

1. <form action=“process\submit.php”, method=“GET”>…_

Suppose we have 2 import pairs: [‘user’]=‘test_user’, [‘pass’]=‘test_pass’.
If using $_GET or $_POST, we accurately get what we are expecting:

1. and user = ‘test\user’ and pass = ‘test_pass’;_

However, if for better compatibility of changing form’s method between ‘GET’ and ‘POST’, we use $_REQUEST to hold all the possibility, like:

- foreach ($\REQUEST as $key => $value) {

•   $hash[$key] = trim($value);
•   $condition = ” and $key=’” . $trim($value) . ”’ “;
• }_

Because $_REQUEST=$_GET/$_POST + $_COOKIE, unanticipated variables are imported, here is some security holes and vogue bugs.

• and user=‘test\user’ and pass=‘test_pass’ and cookie_key1=‘cookie_value1’ and cookie_key2=‘cookie_value2’ …_

This is not exactly what we want.
So, if you are sure which request are input (method=‘get’ or method=‘post’), use it directly ($_GET, or $_POST) instead of vague $_REQUEST.
In other words, avoid to use $_REQUEST, this max avoid bugs and security holes.