Hey I was wondering if there is any kind of vulnerability hidden behind the $_REQUEST variables that everyone should care about. Let's assume that we have PHPMailer library and we call mail.php through an html form tag:
...
//mail.php
//send email
$email = $_REQUEST['email'] ;
$name = $_REQUEST['name'] ;
$subject = 'mail test';
$message = $_REQUEST['message'] ;
$tel = $_REQUEST['tel'];
$formcontent=" From: $name
e-mail: $email
Telephone: $tel
Message: $message";
require 'PHPMailer/PHPMailerAutoload.php';
....
$mail = new PHPMailer;
$mail->Subject = $subject;
$mail->Body = $formcontent;
$mail->send();
...
Could actually someone forge a payload by sending some "evil" characters that would lead to any arbitrary code execution or anything similiar?
I decided to make a more detailed answer because Security is important.
$_REQUEST is not the problem, how someone use it is the problem. $_REQUEST is just the sum of $_GET, $_POST and $_COOKIE. So the same principals apply to $_REQUEST.
First of all if you try to follow the principal of "not trusting any data that come from a user" you will figure out what to do next.
The Important part with any data no mater where it came from is that you thing about where is it going to. So if you put the data into a HTML template and do not escape the important HTML characters than this could lead to corrupt or hacked websites. The same is true if the data that goes to the database or to any other destination.
In your case you use the PHPMailer, and I do not know how much security is implement there and if PHPMailer is not doing any escaping it could be that someone add something to the mail that you do not want.
There is addition one issue with $_REQUEST. Because it is the sum of $_GET, $_POST and $_COOKIE, it could be that you you do not see all data, or that you thing this is coming from your URL but is coming from a Cookie.
This is the case if e.g $_GET and $_COOKIE having the same key, than you only seeing one value depending of your configuration. This is why I prefer to use $_GET, $_POST and $_COOKIE, but the other principals are still valid.