Yes, its allowed and might be helpful for a number of reasons.

• Debugging — If, for some reason you want to “force” a certain request parameter, you can set a value in the $_REQUEST, $_GET, or $_POST arrays. This would override any value sent by the requesting page, which may be desired.
• Because you’re going to do something with the entire array — if you want to, for example, json_encode all of the $_REQUEST key-value pairs as well as some additional values, it might be faster to just “add” values to $_REQUEST in this manner, then pass $_REQUEST to json_encode().

Regarding your question about $_COOKIE, no you can’t change the value of a cookie that way, only access it.

Note from author: The following example was added as a suggested and approved edit to my original answer. And while it may work, there are better ways to protect your site from injection attacks (e.g. prepared statements). IMHO, a prudent programmer should strongly consider these approaches before relying on the code below.

Think about preventing SQL injection attacks on your website. That simple code will stop them for all $_REQUEST variables (mysqli example):

function injectionwall($dbinterface)
{
    foreach($_REQUEST as $key => $data)
    {
        $_REQUEST[$key]=$dbinterface->real_escape_string($data);
    }
}

All $_REQUEST variables are now safe to use 🙂