From 6293b6b5e582a88a8e2f6c7e442bb9c2028a683b Mon Sep 17 00:00:00 2001
From: kenjis <kenji.uui@gmail.com>
Date: Tue, 7 Nov 2023 07:11:50 +0900
Subject: [PATCH 1/2] docs: add warning to getVar() in validation.rst

---
 user_guide_src/source/libraries/validation.rst | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/user_guide_src/source/libraries/validation.rst b/user_guide_src/source/libraries/validation.rst
index eb2c497426b2..6fc55822b71a 100644
--- a/user_guide_src/source/libraries/validation.rst
+++ b/user_guide_src/source/libraries/validation.rst
@@ -343,6 +343,13 @@ For example, data returned by multi select dropdown:
 withRequest()
 =============
 
+.. warning:: If you want to validate POST data only, don't use ``withRequest()``.
+    This method uses :ref:`$request->getVar() <incomingrequest-getting-data>`
+    which returns ``$_GET``, ``$_POST`` or ``$_COOKIE`` data in that order
+    (depending on php.ini `request-order <https://www.php.net/manual/en/ini.core.php#ini.request-order>`_).
+    Newer values override older values. POST values may be overridden by the
+    cookies if they have the same name.
+
 One of the most common times you will use the validation library is when validating
 data that was input from an HTTP Request. If desired, you can pass an instance of the
 current Request object and it will take all of the input data and set it as the

From 1149f271913f32ce57ff9adceca721bd1b952067 Mon Sep 17 00:00:00 2001
From: kenjis <kenji.uui@gmail.com>
Date: Tue, 7 Nov 2023 07:12:15 +0900
Subject: [PATCH 2/2] docs: add warning to getVar() in incomingrequest.rst

---
 user_guide_src/source/incoming/incomingrequest.rst | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/user_guide_src/source/incoming/incomingrequest.rst b/user_guide_src/source/incoming/incomingrequest.rst
index 5a58ea1c1608..d3b04bd0c698 100644
--- a/user_guide_src/source/incoming/incomingrequest.rst
+++ b/user_guide_src/source/incoming/incomingrequest.rst
@@ -101,6 +101,11 @@ Getting Data
 
 The ``getVar()`` method will pull from ``$_REQUEST``, so will return any data from ``$_GET``, ``$POST``, or ``$_COOKIE`` (depending on php.ini `request-order <https://www.php.net/manual/en/ini.core.php#ini.request-order>`_).
 
+.. warning:: If you want to validate POST data only, don't use ``getVar()``.
+    Newer values override older values. POST values may be overridden by the
+    cookies if they have the same name, and you set "C" after "P" in
+    `request-order <https://www.php.net/manual/en/ini.core.php#ini.request-order>`_.
+
 .. note:: If the incoming request has a ``Content-Type`` header set to ``application/json``,
     the ``getVar()`` method returns the JSON data instead of ``$_REQUEST`` data.