Archive

Archive for October, 2010

Use $_REQUEST Sparingly

October 6, 2010 Leave a comment

Just tracked down an interesting bug that I thought should be mentioned.  Here’s the references so we all understand this a bit better.

$_REQUEST contains a combination of $_GET, $_POST, and $_COOKIE by default.
http://php.net/manual/en/reserved.variables.request.php

The variables_order configuration (php.ini) is what determines the content of that $_REQUEST array.
http://www.php.net/manual/en/ini.core.php#ini.variables-order

Example:
variables_order = GPC

This means that GET, POST, and COOKIE are all mashed up in the $_REQUEST array.   Each one overriding the previous key/value pairs if they exist.

Scenario:
One feature our application has is the ability to track the last selected tab on a page by storing the tab_id in a cookie.  This is only set when you visit certain tabs.   Some time later a new feature was created that also used a tab_id field.  A random bug started occurring where the tab_id for the new report was not at all correct, causing incorrect data to be saved.

Resolution:
Turns out the cookie data was to blame.  This bug only showed up if you had visited one of the tabs that saved the tab_id to your cookie.    The javascript for the new report was explicitly posting the data but the controller was receiving the wrong value, because it was using $_REQUEST.   Since cookie values override post values the controller was seeing the tab_id from the cookie ($_COOKIE) instead of the $_POST value we really wanted.

You should be using the most restrictive superglobal possible, in this case POST should have been used instead of REQUEST.

Advertisements
Categories: Uncategorized Tags: