====== Request Functions / API ======
===== HTTP Request =====
See [[php:http_request_handling]].
==== Superglobals ====
=== $_GET ===
Variables via the URL (HTTP GET)
=== $_POST ===
Variables from a form with method="POST" (HTTP POST)
=== $_COOKIE ===
Variables extracted from the cookie HTTP header, sent by the browser
=== $_REQUEST ===
''$_REQUEST'' is ''$_GET'', ''$_POST'' and ''$_COOKIE'' //combined//. It can be a source of logic errors as if a variable exists in both ''$_GET'' and ''$_POST'', the value will be taken from the input data that was parsed later by PHP, as controlled by the PHP ini setting [[http://www.php.net/manual/en/ini.core.php#ini.variables-order|variables-order]]. The default setting means a ''$_POST'' variable will override a ''$_GET'' variable of the same name.
=== $_SERVER ===
The ''$_SERVER'' superglobal largely corresponds to variables used in the [[web:cgi|Common Gateway Interface]] - see [[http://cgi-spec.golux.com/draft-coar-cgi-v11-03-clean.html#6.0|Data Input to the CGI Script]].
Watch out for ''$_SERVER'' keys beginning with ''HTTP_X_'' - these are passed straight-through from the client request so easy to spoof. It's common to use;
$_SERVER['HTTP_X_FORWARDED_FOR']
As a fallback for;
$_SERVER['REMOTE_ADDR']
for when a proxy server is between the client and server. But;
$_SERVER['HTTP_X_FORWARDED_FOR']
can be easily spoofed should not be relied upon - see [[http://lists.seifried.org/pipermail/security/2004-April/003084.html|phpBB IP Spoofing Issue]] for an example of the potential issues and [[DetectingClientAddress]]
=== $_FILES ===
This array contains files uploaded from a form. This is a prime location for security holes. Use [[http://pear.php.net/package/HTTP_Upload|PEAR::HTTP_Upload]] to upload files - see [[http://vulcanonet.com/soft/index.php?pack=uploader|Pear File Uploader]] for a tutorial.
===== Exploits =====
[[security:attack:global_variable_injection]]
[[security:attack:parameter_manipulation]]
----
//This function list is probably incomplete.//
See [[security:functions:catalog]] and [[security:web_application_security]]