Archive for October, 2010

Use $_REQUEST Sparingly

October 6, 2010 Leave a comment

Just tracked down an interesting bug that I thought should be mentioned.  Here’s the references so we all understand this a bit better.

$_REQUEST contains a combination of $_GET, $_POST, and $_COOKIE by default.

The variables_order configuration (php.ini) is what determines the content of that $_REQUEST array.

variables_order = GPC

This means that GET, POST, and COOKIE are all mashed up in the $_REQUEST array.   Each one overriding the previous key/value pairs if they exist.

One feature our application has is the ability to track the last selected tab on a page by storing the tab_id in a cookie.  This is only set when you visit certain tabs.   Some time later a new feature was created that also used a tab_id field.  A random bug started occurring where the tab_id for the new report was not at all correct, causing incorrect data to be saved.

Turns out the cookie data was to blame.  This bug only showed up if you had visited one of the tabs that saved the tab_id to your cookie.    The javascript for the new report was explicitly posting the data but the controller was receiving the wrong value, because it was using $_REQUEST.   Since cookie values override post values the controller was seeing the tab_id from the cookie ($_COOKIE) instead of the $_POST value we really wanted.

You should be using the most restrictive superglobal possible, in this case POST should have been used instead of REQUEST.

Categories: Uncategorized Tags: