which one to use and why ?

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

User avatar
PHPycho
Forum Contributor
Posts: 336
Joined: Fri Jan 06, 2006 12:37 pm

which one to use and why ?

Post by PHPycho »

Hello forums !!
I had some few questions.
Suppose for passing the query string through url and retrieving it , i had seen the 2 ways.
one way:

Code: Select all

$_GET['parm']
another way:

Code: Select all

$reqVar = '_' . $_SERVER['REQUEST_METHOD'];
$form_vars = $$reqVar;
$parm = $form_vars['parm'] ;
Can anybody make me clear of using second way, actually i didnt get that .
Thanks in advance to all of you.
User avatar
Benjamin
Site Administrator
Posts: 6935
Joined: Sun May 19, 2002 10:24 pm

Post by Benjamin »

Looks like the second bit autodetects the request method, IE $_GET or $_POST.

I have never had to do that, and I probably never would except in a (very) rare circumstance.

I would just use get or post and be done with it.
JeFFb68CAM
Forum Newbie
Posts: 15
Joined: Tue Apr 03, 2007 11:17 pm

Post by JeFFb68CAM »

If you don't know the request method, $_REQUEST contains both GET and POST data - it would be the best bet.
User avatar
stereofrog
Forum Contributor
Posts: 386
Joined: Mon Dec 04, 2006 6:10 am

Post by stereofrog »

Use $_POST when you expect post, i.e. the data comes or should come from the form with method=POST attribute.
Use $_GET in all other cases.
Don't use $_REQUEST, it's flawed.
User avatar
Oren
DevNet Resident
Posts: 1640
Joined: Fri Apr 07, 2006 5:13 am
Location: Israel

Post by Oren »

stereofrog wrote:Use $_POST when you expect post, i.e. the data comes or should come from the form with method=POST attribute.
Use $_GET in all other cases.
Don't use $_REQUEST, it's flawed.
Yep, I'll second that.
User avatar
onion2k
Jedi Mod
Posts: 5263
Joined: Tue Dec 21, 2004 5:03 pm
Location: usrlab.com

Post by onion2k »

stereofrog wrote:Use $_POST when you expect post, i.e. the data comes or should come from the form with method=POST attribute.
Use $_GET in all other cases.
Don't use $_REQUEST, it's flawed.
I'll simplify that a little:

Use $_POST when you expect post data.
Use $_GET when you expect get data.
Use $_COOKIE for cookies and $_FILES for uploaded files.
Ignore everything else.
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Post by Mordred »

stereofrog wrote:Don't use $_REQUEST, it's flawed.
Exactly how is $_REQUEST flawed, pray?
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

I believe stereofrog is referring to that it is an amalgam of various inputs, which can vary from server to server and directory to directory. Currently, the only way to change it is at php.ini level or at a per directory level.

If you know where the data is supposed to come from, use the most specific superglobal.
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

There is never a good need to use $_REQUEST really. You should always know where your data is coming from and $_REQUEST takes that control from you. I will reiterate what onion said...
onion2k wrote:
I'll simplify that a little:

Use $_POST when you expect post data.
Use $_GET when you expect get data.
Use $_COOKIE for cookies and $_FILES for uploaded files.
Ignore everything else.
It is not that hard, not that much more code and it is much safer, especially if you do not manage your own server and have to rely on someone else's idea of what your php.ini file should look like.
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Post by Mordred »

So, I have a script that needs to get an item id, via GET or POST:

You want me to:

Code: Select all

if (isset($_POST['id'])) {
  $nId = intval($_POST['id'])
} else {
  if (isset($_GET['id'])) {
    $nId = intval($_GET['id'])
  } else {
    $nId = 0; //default
  }
}
While I would:

Code: Select all

if (isset($_REQUEST['id'])) {
  $nId = intval($_REQUEST['id'])
} else {
  $nId = 0; //default
}
Moreover, in my actual scripts I use a function (simplified) GetInt($variable, $nDefault) like this:

Code: Select all

$nId = GetInt($_REQUEST['id'], 0);
Which you advise me to use as:

Code: Select all

$nId = GetInt($_POST['id'], GetInt($_GET['id'], 0));
True, $_REQUEST may also contain data from other sources, but I usually don't care, and treat them equally (i.e. any unsecure handling I'd do with $_REQUEST, I would have also done with $_GET and $_POST). The only place I actually use $_POST exclusively is in my login system, and it is to protect the user from the side effects of having his password visible in the url. It would not make my script any more insecure had I used $_REQUEST.

So I have good reasons to use $_REQUEST (smaller and more readable code, and some features of my other "library" functions) and I don't have a bad reason not to use it. I would gladly revise my oppinion if I see a viable scenario when using $_REQUEST brings any harm, so I leave the burden of proof to you guys, Everah, onion2k, stereofrog.
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

GET and POST are superglobal, so you really don't need to pass them to the function.

This mess here:

Code: Select all

<?php
if (isset($_POST['id'])) {
  $nId = intval($_POST['id'])
} else {
  if (isset($_GET['id'])) {
    $nId = intval($_GET['id'])
  } else {
    $nId = 0; //default
  }
}
?>
can be simplified like:

Code: Select all

<?php
$nId = 0;
if (isset($_POST['id']) || isset($_GET['id'])) {
  $nId = isset($_POST['id']) ? intval($_POST['id']) : intval($_GET['id']);
}
?>
User avatar
Kieran Huggins
DevNet Master
Posts: 3635
Joined: Wed Dec 06, 2006 4:14 pm
Location: Toronto, Canada
Contact:

Post by Kieran Huggins »

I'm sort-of with Mordred on this one... although I rarely have an instance when I don't know the request method going in. This is certainly a neat question!
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Post by John Cartwright »

Encapsulation. In the world of OOP, a request object would typically handle any of the logic involved in getting variables. Sure it's a little more code but if we were all really concerned about computer cycles we wouldn't be writting PHP :wink:
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

Mordred wrote:It would not make my script any more insecure had I used $_REQUEST.
I suppose that is true, since there is no way that someone could spoof a cookie and override GET or POST with it.

By default, the REQUEST order is GPC, with the later value overriding the earlier value. That means that REQUEST uses GET first, then POST, then COOKIE. So if I want to change what you app is seeing, I create a cookie with the field name that you are using and it overrides your GET and POST values.

Try this (gpc-request-test.php)

Code: Select all

<?php
$this_page = basename($_SERVER['SCRIPT_FILENAME']);
if (isset($_POST['text-field']))
{
	echo '<p>This is a form data: ' . $_POST['text-field'] . '</p>';
}

if (isset($_GET['text-field']))
{
	echo '<p>This is query string data: ' . $_GET['text-field'] . '</p>';
}

if (isset($_COOKIE['text-field']))
{
	echo '<p>This is cookie data: ' . $_COOKIE['text-field'] . '</p>';
}

if (isset($_REQUEST['text-field']))
{
	echo '<p>This is REQUEST data: ' . $_REQUEST['text-field'] . '</p>';
}

setcookie('text-field', 'Cookie Text', 0);
?>
<html>
<head><title>GPC Request Tests</title></head>
<body>
<form name="test-form" id="test-form" method="post" action="<?php echo $this_page; ?>?text-field=BlahBlah">
<input type="text" name="text-field" value="some text" /> 
<input type="submit" name="submit" value="Submit this form" />
</form>
</body>
</html>
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

Generally, it's considered poor design to expect data under the same name from two different locations. If the order in which the data is parsed changes, your application could start to malfunction. I personally prefer to avoid that by using the most explicit references possible.
Post Reply