使用 $_REQUEST[] 有什么问题? [英] What's wrong with using $_REQUEST[]?
问题描述
我在这里看到很多帖子都说不要使用 $_REQUEST 变量.我通常不这样做,但有时很方便.有什么问题吗?
I've seen a number of posts on here saying not to use the $_REQUEST variable. I usually don't, but sometimes it's convenient. What's wrong with it?
推荐答案
以组合方式从 $_GET 和 $_POST 获取输入绝对没有错.事实上,这就是您几乎一直想做的事情:
There's absolutely nothing wrong with taking input from both $_GET and $_POST in a combined way. In fact that's what you almost always want to do:
对于通常通过 GET 提交的普通幂等请求,您想要的数据量可能无法放入 URL,因此实际上已将其更改为 POST 请求.
for a plain idempotent request usually submitted via GET, there's the possibility the amount of data you want won't fit in a URL so it has be mutated to a POST request instead as a practical matter.
对于一个有实际效果的请求,你必须检查它是否是通过 POST 方法提交的.但是这样做的方法是明确检查 $_SERVER['REQUEST_METHOD'],而不是依赖 $_POST 为空来获取 GET.无论如何,如果方法是 POST,您仍然可能希望从 URL 中取出一些查询参数.
for a request that has a real effect, you have to check that it's submitted by the POST method. But the way to do that is to check $_SERVER['REQUEST_METHOD'] explicitly, not rely on $_POST being empty for a GET. And anyway if the method is POST, you still might want to take some query parameters out of the URL.
不,$_REQUEST 的问题与混淆 GET 和 POST 参数无关.默认情况下,它还包含 $_COOKIE.而且 cookie 真的根本不像表单提交参数:您几乎从不想将它们视为相同的东西.
No, the problem with $_REQUEST is nothing to do with conflating GET and POST parameters. It's that it also, by default, includes $_COOKIE. And cookies really aren't like form submission parameters at all: you almost never want to treat them as the same thing.
如果您不小心在您的站点上设置了一个与表单参数同名的 cookie,那么依赖该参数的表单将由于 cookie 值覆盖预期参数而神秘地停止正常工作.如果您在同一个站点上有多个应用程序,这很容易做到,并且当您只有几个使用旧 cookie 的用户时可能很难调试,您不再使用任何更多的闲逛和破坏表单的方式没有- 其他人可以复制.
If you accidentally get a cookie set on your site with the same name as one of your form parameters, then the forms that rely on that parameter will mysteriously stop working properly due to cookie values overriding the expected parameters. This is very easy to do if you have multiple apps on the same site, and can be very hard to debug when you have just a couple of users with old cookies you don't use any more hanging around and breaking the forms in ways no-one else can reproduce.
您可以使用 request_order PHP 5.3 中的配置.如果这是不可能的,我个人会避免 $_REQUEST 并且,如果我需要组合的 GET+POST 数组,请手动创建它.
You can change this behaviour to the much more sensible GP (no C) order with the request_order config in PHP 5.3. Where this is not possible, I personally would avoid $_REQUEST and, if I needed a combined GET+POST array, create it manually.
这篇关于使用 $_REQUEST[] 有什么问题?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
