Does PHP's $_REQUEST method have a security problem?

Question

The textbook I read says that $_REQUEST has security problem so we better use $_POST.

Is this OK?

Answer 1

There's no real security difference between using $_POST and $_REQUEST, you should sanitise the data with equal scrutiny.

The biggest problem with $_REQUEST is you may be trying to get data from a POST'd form, but might have a GET parameter with the same name. Where will the data come from? It's best to explicitly request the data from where you expect it, $_POST in that example

There are slight security benefits - it's easier to perform XSS (more specifically XSRF) attacks on GET parameters, which is possible if you use $_REQUEST, when you really just want POST data..

There's very few situations when you need data either from POST, GET or cookie.. If you want to get POST data, use $_POST, if you want to get data from from GET parameters, use $_GET, if you want cookie data, use $_COOKIE