Variables via the URL (HTTP GET)
Variables from a form with method=”POST” (HTTP POST)
Variables extracted from the cookie HTTP header, sent by the browser
$_REQUEST is $_GET, $_POST and $_COOKIE combined. It can be a source of logic errors as if a variable exists in both $_GET and $_POST, the value will be taken from the input data that was parsed later by PHP, as controlled by the PHP ini setting variables-order. The default setting means a $_POST variable will override a $_GET variable of the same name.
The $_SERVER superglobal largely corresponds to variables used in the Common Gateway Interface - see Data Input to the CGI Script.
Watch out for $_SERVER keys beginning with HTTP_X_ - these are passed straight-through from the client request so easy to spoof. It’s common to use;
$_SERVER['HTTP_X_FORWARDED_FOR']
As a fallback for;
$_SERVER['REMOTE_ADDR']
for when a proxy server is between the client and server. But;
$_SERVER['HTTP_X_FORWARDED_FOR']
can be easily spoofed should not be relied upon - see phpBB IP Spoofing Issue for an example of the potential issues and DetectingClientAddress
This array contains files uploaded from a form. This is a prime location for security holes. Use PEAR::HTTP_Upload to upload files - see Pear File Uploader for a tutorial.
Global Variable Attack Parameter Manipulation Attack
This function list is probably incomplete. See A Catalog of Security Sensitive PHP Functions and Web Application Security