How to empty REQUEST array?

Question

For my framework, i want to empty/disable REQUEST array for security reasons and users should only use proper arrays such as POST, GET or COOKIE. But i don't know how to do it. Even something like below doesn't seem to work, it empties even GET POST, etc.

$temp_get = $_GET;
$temp_post = $_POST;
$temp_cookie = $_COOKIE;
// empty request array
$_REQUEST = array();
$_GET = $temp_get;
$_POST = $temp_post;
$_COOKIE = $temp_cookie;

Answer 1

Could you loop through $_GET, $_POST and $_COOKIE, saving their data, then clearing $_REQUEST?

$tget = array();
foreach($_GET as $k=>$v)
{
    $tget[$k] = $v;
}

$tpost = array();
foreach($_POST as $k=>$v)
{
    $tpost[$k] = $v;
}

$tcookie = array();
foreach($_COOKIE as $k=>$v)
{
    $tcookie[$k] = $v;
}

unset($_REQUEST);

$_GET = $tget;
$_POST = $tpost;
$_COOKIE = $tcookie;

Answer 2

Would a solution like this work?

<?php

class Request
{
    public static $get, $post, $cookie;

    public function __construct()
    {
        self::$get = $_GET;
        self::$post = $_POST;
        self::$cookie = $_COOKIE;
    }
}

new Request();
$_REQUEST = array();
print_r(Request::$get);

You can test it by going to test.php?a=b&c=d

Answer 3

The right thing to do here is to replace all those functions/variables using $_REQUEST with their correct method. Stick to conventions, GET to pull, POST to insert data, and don't forget $_COOKIE.

If you do not take input from $_REQUEST you will save yourself a lot of trouble. To always be safe just remember to escape any kind of input that might be tampered (_GET,POST,_COOKIE, and don't forget some of those nasty _SERVER variables).

Answer 4

Try doing

unset($_REQUEST);