Page 1 of 2

which one to use and why ?

Posted: Tue Apr 03, 2007 11:37 pm
by PHPycho
Hello forums !!
I had some few questions.
Suppose for passing the query string through url and retrieving it , i had seen the 2 ways.
one way:

Code: Select all

$_GET['parm']
another way:

Code: Select all

$reqVar = '_' . $_SERVER['REQUEST_METHOD'];
$form_vars = $$reqVar;
$parm = $form_vars['parm'] ;
Can anybody make me clear of using second way, actually i didnt get that .
Thanks in advance to all of you.

Posted: Tue Apr 03, 2007 11:40 pm
by Benjamin
Looks like the second bit autodetects the request method, IE $_GET or $_POST.

I have never had to do that, and I probably never would except in a (very) rare circumstance.

I would just use get or post and be done with it.

Posted: Tue Apr 03, 2007 11:59 pm
by JeFFb68CAM
If you don't know the request method, $_REQUEST contains both GET and POST data - it would be the best bet.

Posted: Wed Apr 04, 2007 4:37 am
by stereofrog
Use $_POST when you expect post, i.e. the data comes or should come from the form with method=POST attribute.
Use $_GET in all other cases.
Don't use $_REQUEST, it's flawed.

Posted: Wed Apr 04, 2007 4:43 am
by Oren
stereofrog wrote:Use $_POST when you expect post, i.e. the data comes or should come from the form with method=POST attribute.
Use $_GET in all other cases.
Don't use $_REQUEST, it's flawed.
Yep, I'll second that.

Posted: Wed Apr 04, 2007 5:55 am
by onion2k
stereofrog wrote:Use $_POST when you expect post, i.e. the data comes or should come from the form with method=POST attribute.
Use $_GET in all other cases.
Don't use $_REQUEST, it's flawed.
I'll simplify that a little:

Use $_POST when you expect post data.
Use $_GET when you expect get data.
Use $_COOKIE for cookies and $_FILES for uploaded files.
Ignore everything else.

Posted: Wed Apr 04, 2007 10:43 am
by Mordred
stereofrog wrote:Don't use $_REQUEST, it's flawed.
Exactly how is $_REQUEST flawed, pray?

Posted: Wed Apr 04, 2007 10:53 am
by feyd
I believe stereofrog is referring to that it is an amalgam of various inputs, which can vary from server to server and directory to directory. Currently, the only way to change it is at php.ini level or at a per directory level.

If you know where the data is supposed to come from, use the most specific superglobal.

Posted: Wed Apr 04, 2007 11:28 am
by RobertGonzalez
There is never a good need to use $_REQUEST really. You should always know where your data is coming from and $_REQUEST takes that control from you. I will reiterate what onion said...
onion2k wrote:
I'll simplify that a little:

Use $_POST when you expect post data.
Use $_GET when you expect get data.
Use $_COOKIE for cookies and $_FILES for uploaded files.
Ignore everything else.
It is not that hard, not that much more code and it is much safer, especially if you do not manage your own server and have to rely on someone else's idea of what your php.ini file should look like.

Posted: Wed Apr 04, 2007 11:51 am
by Mordred
So, I have a script that needs to get an item id, via GET or POST:

You want me to:

Code: Select all

if (isset($_POST['id'])) {
  $nId = intval($_POST['id'])
} else {
  if (isset($_GET['id'])) {
    $nId = intval($_GET['id'])
  } else {
    $nId = 0; //default
  }
}
While I would:

Code: Select all

if (isset($_REQUEST['id'])) {
  $nId = intval($_REQUEST['id'])
} else {
  $nId = 0; //default
}
Moreover, in my actual scripts I use a function (simplified) GetInt($variable, $nDefault) like this:

Code: Select all

$nId = GetInt($_REQUEST['id'], 0);
Which you advise me to use as:

Code: Select all

$nId = GetInt($_POST['id'], GetInt($_GET['id'], 0));
True, $_REQUEST may also contain data from other sources, but I usually don't care, and treat them equally (i.e. any unsecure handling I'd do with $_REQUEST, I would have also done with $_GET and $_POST). The only place I actually use $_POST exclusively is in my login system, and it is to protect the user from the side effects of having his password visible in the url. It would not make my script any more insecure had I used $_REQUEST.

So I have good reasons to use $_REQUEST (smaller and more readable code, and some features of my other "library" functions) and I don't have a bad reason not to use it. I would gladly revise my oppinion if I see a viable scenario when using $_REQUEST brings any harm, so I leave the burden of proof to you guys, Everah, onion2k, stereofrog.

Posted: Wed Apr 04, 2007 12:04 pm
by RobertGonzalez
GET and POST are superglobal, so you really don't need to pass them to the function.

This mess here:

Code: Select all

<?php
if (isset($_POST['id'])) {
  $nId = intval($_POST['id'])
} else {
  if (isset($_GET['id'])) {
    $nId = intval($_GET['id'])
  } else {
    $nId = 0; //default
  }
}
?>
can be simplified like:

Code: Select all

<?php
$nId = 0;
if (isset($_POST['id']) || isset($_GET['id'])) {
  $nId = isset($_POST['id']) ? intval($_POST['id']) : intval($_GET['id']);
}
?>

Posted: Wed Apr 04, 2007 12:06 pm
by Kieran Huggins
I'm sort-of with Mordred on this one... although I rarely have an instance when I don't know the request method going in. This is certainly a neat question!

Posted: Wed Apr 04, 2007 12:15 pm
by John Cartwright
Encapsulation. In the world of OOP, a request object would typically handle any of the logic involved in getting variables. Sure it's a little more code but if we were all really concerned about computer cycles we wouldn't be writting PHP :wink:

Posted: Wed Apr 04, 2007 12:23 pm
by RobertGonzalez
Mordred wrote:It would not make my script any more insecure had I used $_REQUEST.
I suppose that is true, since there is no way that someone could spoof a cookie and override GET or POST with it.

By default, the REQUEST order is GPC, with the later value overriding the earlier value. That means that REQUEST uses GET first, then POST, then COOKIE. So if I want to change what you app is seeing, I create a cookie with the field name that you are using and it overrides your GET and POST values.

Try this (gpc-request-test.php)

Code: Select all

<?php
$this_page = basename($_SERVER['SCRIPT_FILENAME']);
if (isset($_POST['text-field']))
{
	echo '<p>This is a form data: ' . $_POST['text-field'] . '</p>';
}

if (isset($_GET['text-field']))
{
	echo '<p>This is query string data: ' . $_GET['text-field'] . '</p>';
}

if (isset($_COOKIE['text-field']))
{
	echo '<p>This is cookie data: ' . $_COOKIE['text-field'] . '</p>';
}

if (isset($_REQUEST['text-field']))
{
	echo '<p>This is REQUEST data: ' . $_REQUEST['text-field'] . '</p>';
}

setcookie('text-field', 'Cookie Text', 0);
?>
<html>
<head><title>GPC Request Tests</title></head>
<body>
<form name="test-form" id="test-form" method="post" action="<?php echo $this_page; ?>?text-field=BlahBlah">
<input type="text" name="text-field" value="some text" /> 
<input type="submit" name="submit" value="Submit this form" />
</form>
</body>
</html>

Posted: Wed Apr 04, 2007 12:33 pm
by feyd
Generally, it's considered poor design to expect data under the same name from two different locations. If the order in which the data is parsed changes, your application could start to malfunction. I personally prefer to avoid that by using the most explicit references possible.