php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Doc Bug #76637 Default $_REQUEST is Misrepresented in Documentation
Submitted: 2018-07-18 10:10 UTC Modified: 2021-08-19 12:13 UTC
From: dor dot tumarkin at checkmarx dot com Assigned: cmb (profile)
Status: Not a bug Package: Documentation problem
PHP Version: 7.2.7 OS: Any
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: dor dot tumarkin at checkmarx dot com
New email:
PHP Version: OS:

 

 [2018-07-18 10:10 UTC] dor dot tumarkin at checkmarx dot com 
Description:
------------
---
From manual page: http://www.php.net/reserved.variables.request
---

Documentation states the $_REQUEST is "An associative array that by default contains the contents of $_GET, $_POST and $_COOKIE."
In PHP 7.2.7 (and likely several versions lower), $_COOKIE is not part of $_REQUEST by default, though it could be re-enabled via php.ini. The default behavior is to only include $_GET and $_POST in request_order "due to security concerns", likely because adding C for $_COOKIES enables a wider breadth for value shadowing attacks.

Test script:
---------------
Not applicable.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2021-08-19 12:13 UTC] cmb@php.net
-Status: Open +Status: Not a bug -Assigned To: +Assigned To: cmb
 [2021-08-19 12:13 UTC] cmb@php.net 
Which sources populate $_REQUEST is determined by request_order,
which is empty by default, and in this case by variable_order,
which is "EGPCS" by default.  The fact that php.ini-development
and php.ini-production set request_order=GP is irrelevant here,
since nobody is required to use them.  As such, the documentation
is correct.
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Tue Jul 01 14:01:37 2025 UTC