How evil is $_REQUEST and what are some acceptable Band-Aid countermeasures?

Question

I\'ve come across a couple of popular PHP-related answers recently that suggested using the superglobal $_REQUEST, which I think of as code smell, because it re

Answer 1

Its vulnerable to anything passed on the URL. Thus if a form contained a hidden field with the "userid" that was submitted with the form, although in theory the user can't edit it, there is nothing stopping them change the value if keen enough.

If you just want to get the value off the request, thats fine, but you need to be aware that it may very well be spoofed, so you need to act accordingly, and certainly not use it for secure param/value data.