I've come across a couple of popular PHP-related answers recently that suggested using the superglobal
$_REQUEST, which I think of as code smell, because it reminds me of
Can you provide a good explanation/evidence of why
$_REQUEST is bad practice? I'll throw out a couple of examples I've dug up, and would love more information/perspective on both theoretical attack vectors and real-world exploits, as well as suggestions of reasonable steps the sysadmin can take to reduce risk (short of rewriting the app ... or, do we need to go to management and insist on a rewrite?).
Example vulnerabilities: Default
GPC array merge-order means that COOKIE values override GET and POST, so
$_REQUEST can be used for XSS and HTTP attacks. PHP lets cookie vars overwrite the superglobal arrays. First 10 slides of this talk give examples (whole talk is great). phpMyAdmin exploit example of CSRF attack.
Example countermeasures: Reconfigure
$_REQUEST array merge-order from
CGP so GET/POST overwrite COOKIE, not the other way around. Use Suhosin to block overwrite of superglobals.
(Also, wouldn't be asking if I thought my question was a dupe, but happily the overwhelming SO answer to "When and why should $_REQUEST be used instead of $_GET / $_POST / $_COOKIE?" was "Never.")