$_REQUEST

Last updated on

Today, we will discuss the most prominent and useful superglobal in PHP, $_REQUEST, to get user input. The $_REQUEST array lets you retrieve this data, whether it comes through a form, a URL, or cookies in direct contact with the user.

This superglobal can contain a wide variety of data derived from different HTTP request methods; for example, it consolidates $_GET, $_POST, and $_COOKIE data into a single, convenient array.

Therefore, if we are dealing with forms or user interactions, this variable helps us avoid creating a handler for each request type.  

What is $_REQUEST and How Does it Work in PHP?

PHP $_REQUEST is a pre-defined (superglobal) array. This also means you do not need to include it or initialize it—it always works.

Treat it like a collection of all data sent to the script at once, whether it is fetched with forms, or sent directly with query strings or cookies.

This lets you access user input all in one place with $_REQUEST. When a user submits a form, types a URL with query parameters, or triggers any action using GET, POST, or COOKIE data, $_REQUEST captures that input. It then stores everything in one convenient location.

This is very useful when you may not know which request method a user will use, as $_REQUEST merges them all.

Note: You have to keep in mind that the array order is GET, POST, then COOKIE data, meaning for any duplicate keys, the default value will come from GET values first, then POST, then COOKIE. If you have a key named "user" in both GET and POST requests, $_REQUEST will take the value from GET.

Why Would I Use PHP $_REQUEST Over Other Superglobals?

The choice between $_REQUEST, $_GET, $_POST, or $_COOKIE depends on the level of control needed. GET, POST, and COOKIE each capture data from specific request methods. So, it helps to know exactly how users will send data.

When you need flexibility or use multiple request methods, $_REQUEST becomes very useful. You won’t need separate handlers for each method.

For example, with a form submission using both GET and POST, $_REQUEST reads both automatically. No extra coding is required.

Next, you’ll learn how to retrieve data with $_REQUEST. It also includes a few simple examples to show how it works.

How to Access Data in PHP $_REQUEST

Using $_REQUEST is straightforward. You use it like an array—just provide the key of the data you want to retrieve. Here's a simple example:

$username = $_REQUEST['username'];
echo "Hello, " . htmlspecialchars($username);

The username in the code above is extracted from any incoming GET, POST, or COOKIE request.

Again, (and this is the last point I'll make): always sanitize input when working with user data. This helps protect your application from security vulnerabilities.

In this example, htmlspecialchars guards against cross-site scripting (XSS) attacks by converting special characters to their HTML entities.

Now, let's look at some examples.

Examples of Use Cases of PHP $_REQUEST

Multi-Step Form Handling:

Suppose you are creating a login page where users can submit credentials either as a GET or as a POST.

Using $_REQUEST means you can access either in an easy manner without having to check extra code to see if the GET or the POST method was used.  

$username = $_REQUEST['username'];
$password = $_REQUEST['password'];

Handling Data as One Piece in Multi-Step Forms with PHP $_REQUEST.

Multi-step forms may mean that data can come from a variety of requests as the users go from step to step.

By using $_REQUEST, you keep your data handling lean. Rather than specifying any of the methods, you catch all form data as users progress through it; this cleans up the code and makes it easier to manage.  

Wrapping Up

PHP provides the $_REQUEST superglobal variable for handling data from user submission forms, URLs, and cookies.

It expands and merges GET, POST, and COOKIE data into a single super-array, allowing user data to be accessed through a single, convenient method instead of requiring separate handlers for each type.

When working with multi-step forms or mixed-method requests, $_REQUEST simplifies coding and ensures you can access the data you need. However, always sanitize user inputs to maintain security.

Click here to see more PHP tutorials, Thank you for reading. Happy Coding.

Frequently Asked Questions (FAQs)

  • What is $_REQUEST in PHP?

    $_REQUEST is a PHP superglobal array that collects data from multiple HTTP request methods: GET, POST, and COOKIE. It allows you to access user input from various sources without specifying each method separately.
  • How does $_REQUEST differ from $_GET and $_POST?

    While $_GET and $_POST capture data from specific HTTP request types, $_REQUEST combines both GET, POST, and COOKIE data into a single array. This makes it convenient when you're unsure of the request method, but it can lead to ambiguity if the same key is used across methods.
  • Is it safe to use $_REQUEST for form data?

    $_REQUEST is safe to use if input is sanitized properly. However, because it gathers data from multiple sources, it's best to validate and sanitize inputs to avoid potential security issues, especially for applications handling sensitive data.
  • How do I retrieve a value from $_REQUEST?

    You can access values from $_REQUEST similarly to other arrays by specifying the key. For example:
    $username = $_REQUEST['username'];
    echo "Hello, " . htmlspecialchars($username);
    
  • When should I use $_REQUEST over other superglobals?

    Use $_REQUEST when your application needs to handle multiple request types without knowing the method in advance, such as in forms that might submit data via either GET or POST. For cases where only one method is expected, it’s safer to use $_GET or $_POST directly.
  • What is the order of data retrieval in $_REQUEST?

    The default order in $_REQUEST is GET, POST, then COOKIE. This means if there’s a duplicate key across these methods, $_REQUEST will take the GET value first, followed by POST, and then COOKIE.
  • How can I configure the data order in `$_REQUEST`?

    The order of sources in $_REQUEST can be modified in the php.ini file under the request_order directive. For example, to prioritize POST over GET, set the following:
    request_order = "POST,GET,COOKIE";
    
  • Can I use $_REQUEST in a secure application?

    Yes, $_REQUEST can be used securely as long as you follow best practices like input validation and sanitization. Avoid using $_REQUEST if your application relies on data from a specific method, as this can introduce ambiguity and potential security risks.
  • Why is sanitizing $_REQUEST data important?

    Since $_REQUEST can contain data from GET, POST, and COOKIE, unsanitized input may lead to vulnerabilities such as cross-site scripting (XSS) or SQL injection. Always sanitize data to protect against malicious input.
  • How can I handle multi-step forms with $_REQUEST?

    In multi-step forms, $_REQUEST allows you to capture all user input without worrying about the method type. Each step can send data via GET or POST, and $_REQUEST will keep handling it seamlessly. For example:
    $stepData = $_REQUEST['step_data'];
    // Process each form step
    
  • Is $_REQUEST slower than $_GET or $_POST?

    $_REQUEST might be slightly slower due to combining multiple data sources, but the difference is minimal. For most applications, this is not noticeable. However, if performance is critical, using specific superglobals like $_GET or $_POST may be better.
Share on: