Just tracked down an interesting bug that I thought should be mentioned. Here’s the references so we all understand this a bit better.
$_REQUEST contains a combination of $_GET, $_POST, and $_COOKIE by default.
The variables_order configuration (php.ini) is what determines the content of that $_REQUEST array.
variables_order = GPC
This means that GET, POST, and COOKIE are all mashed up in the $_REQUEST array. Each one overriding the previous key/value pairs if they exist.
One feature our application has is the ability to track the last selected tab on a page by storing the tab_id in a cookie. This is only set when you visit certain tabs. Some time later a new feature was created that also used a tab_id field. A random bug started occurring where the tab_id for the new report was not at all correct, causing incorrect data to be saved.
You should be using the most restrictive superglobal possible, in this case POST should have been used instead of REQUEST.