Four Island

This is an age-old PHP argument: Is using $_REQUEST dangerous?

For those not in the know, $REQUEST is a combination of $COOKIE, $POST and $GET. If you try to access $REQUEST['para'], it will first attempt to retrieve $COOKIE['para'], then $POST['para'] and finally $GET['para']. This has led many people to believe that $_REQUEST is very dangerous to use because cookies can be easily edited by the client. However, this is not so.

Cookies can be easily edited by the client, true. But so can query strings ($GET) and the Request Body ($POST). $_REQUEST requires the same amount of XSS-proofing as the others do.

The only problem I see with $REQUEST is that using it doesn't specify whether you are using $COOKIE, $GET or $POST. It would be too ambiguous for me and that's why I leave it be.