I recently came across an interesting bug that I thought to share with you PHP/Drupal heads.

Some Drupal modules use the query part of a URL (arguments after the question mark "?") to send information. In my case, the D6 Batch API uses arguments "op" and "id" to specify which batch operation should be executed. At one point, my module was creating a new batch operation with id=68. However, the batch operation kept failing with Drupal saying "Access denied". After finding the line where the code failed, I inserted var_dump($_REQUEST) and found that id had always value = 1, no matter what value I sent on the URL query! However, var_dump($_GET) reported id=68. How weird is that!

Well, the problem turned out to be that $_REQUEST is an array obtained by merging $_POST, $_GET and cookies. Some other PHP application had created a root cookie named "id", and $_REQUEST was picking up that value instead of the one in the URL. When I removed that cookie from my browser, the code worked correctly.

The lesson? Fix your "request_order" php.ini directive (or "variables_order" pre-PHP 5.3) to something that makes sense to your code. In general, watch for name collisions between $_GET, $_POST and cookie values.