Why should I use $_GET and $_POST instead of $_REQUEST? [duplicate]

I use $_REQUEST when I just want certain data from the user to return certain data.

Never use $_REQUEST when the request will have side effects. Requests that produce side effects should be POST (for semantic reasons, and also because of basic CSRF stuff, a false img tag can hit any GET endpoint without a user even knowing).

$_GET should be used when GETing or POSTing to a page will produce different results.


Besides the fact that $_REQUEST reads from cookies

Besides the fact that this is undefined (It's configurable on a per-installation level), the problem using $_REQUEST is that it over-simplifies things. There is (or should be) a semantic difference between a GET request and a POST request. Thus it should matter to your application if you get input from one source or the other. This is how the HTTP protocol is defined, so by ignoring it, you are undermining the protocol, which makes your application less interoperable. It's the same type argument that can be made for using semantic HTML markup, rather than presentation-oriented markup. Or more generally, following the intentions of a protocol rather than just doing whatever works in the concrete situation.


You already gave one of the answers, so I'll give another:

It's more of a stylistic choice. For instance, you don't usually want information that changes state on the server to be cacheable, so you probably want to restrict it to $_POST variables.


The usage of $_REQUEST opens some attack vectors to your application where variables could be overwritten where you wouldn't want it to happen.

Also consider the order GPC (Get, Post, Cookie) on which the $_REQUEST will get filled.

i.e. a request with:

$_GET['foo'] = 'bar'
$_POST['foo'] = 'baz'

will result in

$_REQUEST['foo'] == 'bar'