Do not Access Superglobal $_REQUEST Array Directly

Question

I have until now been accessing $_REQUEST in my PHP as follows:

//JS
xmlhttp.open("GET", "logic.php?q=" + itemOne  + "&w=" + itemTwo, true);

//PHP
$q = $_REQUEST['q'];
$w = $_REQUEST['w'];

The items being sent through get used for MSSQL server queries (SQLSRV).

My question is what would be the best-practice methods for doing the above differently/correctly? I read somewhere that this is not good in terms of being vulnerable to SQL injection attacks etc.

Answer 1

My question is what would be the best-practice methods for doing the above differently/correctly?

The example JavaScript you gave used a GET request. The "correct" way to access the parameters would be through PHP's $_GET array. Using $_REQUEST is a bad habit because you lose control over how the data arrived. I'll give you a simple example:

Websites that use token base authentication often require that you send the token as POST data. If it is considered insecure to exchange private info through URL parameter, a PHP script that gets the data from $_REQUEST has no way to know how the data arrived, and will mistakenly accept a badly sent token. A better script would look for the token in $_POST. If it's not there, then there is no token; even if a user tried to send it in the url.

I read somewhere that this is not good in terms of being vulnerable to SQL injection attacks etc.

SQL injection doesn't have to do with $_REQUEST specifically. It can occur whenever you insert user submitted data directly in your SQL queries, whether the data came from $_REQUEST, $_GET, a file... This terrible code design allows an attacker to take control of your SQL and instruct your DB to execute whatever command he or she wishes (eg: to exfiltrate or delete your data). To protect yourself against it, learn about prepared statements and parameterized queries