使用$ _REQUEST []有什么问题? [英] What's wrong with using $_REQUEST[]?
问题描述
我在这里看到许多帖子说不要使用$_REQUEST变量.我通常不这样做,但有时很方便.怎么了?
I've seen a number of posts on here saying not to use the $_REQUEST variable. I usually don't, but sometimes it's convenient. What's wrong with it?
推荐答案
以组合方式从$_GET和$_POST两者中获取输入绝对没有错.实际上,这就是您几乎总是想做的:
There's absolutely nothing wrong with taking input from both $_GET and $_POST in a combined way. In fact that's what you almost always want to do:
-
对于通常通过GET提交的纯幂等请求,有可能您想要的数据量无法容纳在URL中,因此实际上已将其更改为POST请求.
for a plain idempotent request usually submitted via GET, there's the possibility the amount of data you want won't fit in a URL so it has be mutated to a POST request instead as a practical matter.
对于具有实际效果的请求,您必须检查其是否由POST方法提交.但是,这样做的方法是显式检查$_SERVER['REQUEST_METHOD'],而不是依赖$_POST为GET清空.而且无论如何,如果方法是POST,您仍可能要从URL中取出一些查询参数.
for a request that has a real effect, you have to check that it's submitted by the POST method. But the way to do that is to check $_SERVER['REQUEST_METHOD'] explicitly, not rely on $_POST being empty for a GET. And anyway if the method is POST, you still might want to take some query parameters out of the URL.
否,$_REQUEST的问题与合并GET和POST参数无关.默认情况下,它还包含$_COOKIE. Cookie实际上根本不像表单提交参数:您几乎永远都不想将它们视为同一事物.
No, the problem with $_REQUEST is nothing to do with conflating GET and POST parameters. It's that it also, by default, includes $_COOKIE. And cookies really aren't like form submission parameters at all: you almost never want to treat them as the same thing.
如果您不小心在网站上设置了一个与表单参数之一相同名称的cookie,那么由于cookie值覆盖了预期参数,依赖该参数的表单将神秘地停止正常工作.如果您在同一个站点上有多个应用程序,这非常容易做到,并且当您只有几个使用旧Cookie的用户时,您将很难再进行调试,而在这种情况下,您将不再使用它们来摆弄和破坏表单,这非常困难. -另一个可以复制.
If you accidentally get a cookie set on your site with the same name as one of your form parameters, then the forms that rely on that parameter will mysteriously stop working properly due to cookie values overriding the expected parameters. This is very easy to do if you have multiple apps on the same site, and can be very hard to debug when you have just a couple of users with old cookies you don't use any more hanging around and breaking the forms in ways no-one else can reproduce.
You can change this behaviour to the much more sensible GP (no C) order with the request_order config in PHP 5.3. Where this is not possible, I personally would avoid $_REQUEST and, if I needed a combined GET+POST array, create it manually.
这篇关于使用$ _REQUEST []有什么问题?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
