37

I want clear $_POST array content fully, all examples what I see in internet, looks like this:

if (count($_POST) > 0) {
    foreach ($_POST as $k=>$v) {
        unset($_POST[$k]);
    }
}

Tell please, this variant will be not more better? (Point of view as saving resources)

if (count($_POST) > 0) {
     $_POST = array();
}

or not ?

Oto Shavadze
  • 40,603
  • 55
  • 152
  • 236
  • 4
    Why would you want to empty `$_POST`? – user254875486 Oct 18 '12 at 11:49
  • 6
    You don't even need `count`. `$_POST = array();` and you are all set. – Mahn Oct 18 '12 at 11:49
  • After first time using POST data, I need clear they – Oto Shavadze Oct 18 '12 at 11:50
  • 1
    If you need to change the values of `$_POST` you are doing something wrong. – Jon Oct 18 '12 at 11:50
  • 3
    you dont even require to write condtion. simple $_POST = array(); statement will do. – Rukmi Patel Oct 18 '12 at 11:51
  • 2
    @Jon, @Lex: `$_POST` is writable which is kind of stupid, it can make sense to clear it if you are using an interface like a class to read user input. – Wesley Murch Oct 18 '12 at 11:51
  • @WesleyMurch: Why does it make sense to clear it? – Jon Oct 18 '12 at 11:52
  • Why would you want to clear `$_POST` in the first place? It doesn't make any sense at all. Dont post anything to the next page than. – Dorvalla Oct 18 '12 at 11:52
  • @Jon: To make sure your interface is exclusively used. – Wesley Murch Oct 18 '12 at 11:52
  • @Wesley: I think you shouldn't create a class that directly uses $_POST anyway, so... – user254875486 Oct 18 '12 at 11:54
  • @WesleyMurch: Doesn't sound very convincing to me. If you don't want to touch `$_POST` then simply don't. – Jon Oct 18 '12 at 11:55
  • 1
    There may be other motivations by the OP, but that is a realistic one that I have actually used and to be honest, was quite fond of. it's nice to be certain of things, like that POST data is XSS free or the keys are "safe" (the class may sanitize it then empty the post data, just an example). – Wesley Murch Oct 18 '12 at 11:56
  • 1
    I clear `$_POST` aswell. It's a matter of encapsulation; clearing `$_POST` after you've used it ensures no other part of the application has access to it; otherwise a random bug anywhere can expose the potentially critical data in `$_POST`. – Mahn Oct 18 '12 at 11:58
  • Another cool trick is setting $_POST manually by parsing `php://input`, in case for example you don't want to deal with the silly "`bracket[]` field names are arrays" thing and use duplicate input keys like the rest of the non-PHP programming world is able to. In that case I would just clear POST as the first step before repopulating it. – Wesley Murch Oct 18 '12 at 12:02
  • Don't forget that `POST` data can also be found in `$_REQUEST` – Josh J Sep 10 '15 at 20:05
  • $_POST data is also accessible via the built-in filtering functions, like so: **filter_input(INPUT_POST,'var_int',FILTER_VALIDATE_INT)** Even after clearing the $_POST array, coders can still access input this way! – Matthew Slyman Jun 16 '17 at 20:57
  • I ran into a situation where $_POST supposed to be empty but it is not. In DEV, $_POST is empty as expected. But in PROD, it is not. I have no idea and it will be too time consuming to figure out how $_POST got corrupted. In this case, I make sure $_POST is empty. – Nguai al Mar 31 '20 at 14:46

6 Answers6

64

Yes, that is fine. $_POST is just another variable, except it has (super)global scope.

$_POST = array();

...will be quite enough. The loop is useless. It's probably best to keep it as an array rather than unset it, in case other files are attempting to read it and assuming it is an array.

Wesley Murch
  • 101,186
  • 37
  • 194
  • 228
  • Technically it has [superglobal](http://php.net/manual/en/language.variables.superglobals.php) scope, since the global scope in PHP isn't. – lonesomeday Oct 18 '12 at 11:53
  • Sounds like you have an unrelated issue. If you read the post data before clearing it it's already too late. – Wesley Murch Jan 30 '17 at 18:47
  • Ah, I didn't know that and was suprised why everybody upvoted, thanks! – NaturalBornCamper Jan 30 '17 at 18:48
  • 1
    This unsets $_POST, but you can still do this: **filter_input(INPUT_POST,'password',FILTER_UNSAFE_RAW)** — And things of that sort. (On my FastCGI based PHP installation, this technique returns actual results, despite first unsetting $_POST!) If this is not being done for security reasons, then I fail to understand the legitimate application. – Matthew Slyman Jun 16 '17 at 17:42
  • even shorter $_POST = []; – clockw0rk Jul 21 '20 at 14:30
10

To unset the $_POST variable, redeclare it as an empty array:

$_POST = array();
rationalboss
  • 5,330
  • 3
  • 30
  • 50
  • This unsets $_POST, but you can still do this: **filter_input(INPUT_POST,'password',FILTER_UNSAFE_RAW)** — And things of that sort. (On my FastCGI based PHP installation, this technique returns actual results, despite first unsetting $_POST!) If this is not being done for security reasons, then I fail to understand the legitimate application. – Matthew Slyman Jun 16 '17 at 17:44
  • if you want avoid from re-insert then please use action attribute to direct form submission to other page and the using header redirect to that particular page then your re-submission in the database will fix. @NaturalBornCamper – Laeeq Khan Niazi Feb 21 '19 at 17:55
  • @MatthewSlyman I take back my initial comment now that I understand what you mean. Yes, you can filter input and stuff, but OP did not ask how to ignore post data. could you show us an answere to prevent the dangerous filter_input, maybe? – clockw0rk Jul 21 '20 at 14:36
7

The solutions so far don't work because the POST data is stored in the headers. A redirect solves this issue according this this post.

How to delete $_POST variable upon pressing 'Refresh' button on browser with PHP?

kiwicomb123
  • 1,503
  • 21
  • 26
2

It may appear to be overly awkward, but you're probably better off unsetting one element at a time rather than the entire $_POST array. Here's why: If you're using object-oriented programming, you may have one class use $_POST['alpha'] and another class use $_POST['beta'], and if you unset the array after first use, it will void its use in other classes. To be safe and not shoot yourself in the foot, just drop in a little method that will unset the elements that you've just used: For example:

private function doUnset()
{
    unset($_POST['alpha']);
    unset($_POST['gamma']);
    unset($_POST['delta']);
    unset($_GET['eta']);
    unset($_GET['zeta']);
}

Just call the method and unset just those superglobal elements that have been passed to a variable or argument. Then, the other classes that may need a superglobal element can still use them.

However, you are wise to unset the superglobals as soon as they have been passed to an encapsulated object.

user1732111
  • 56
  • 1
  • 6
Bill
  • 95
  • 3
0

You can use a combination of both unset() and initialization:

unset($_POST);
$_POST = array();

Or in a single statement:

unset($_POST) ? $_POST = array() : $_POST = array();

But what is the reason you want to do this?

Community
  • 1
  • 1
Praveen Kumar Purushothaman
  • 164,888
  • 24
  • 203
  • 252
  • 2
    @Mahn Those who are using the PHP filter functions do not use $_POST to get access to form values. Thus, clearing $_POST is just a way of clearing resources. For instance, if someone dumps more characters into a form field than what is allowed (bypassing all client side validation) and that person is using PHP filter functions, $_POST is something that the developer may want to clear. I have my sanitizer do a pre-check control string lengths, then throw and catch a `RangeException` if a control has more characters than allowed. One might still use $_POST to get a count of controls submitted. – Anthony Rutledge Jul 18 '15 at 22:10
  • @AnthonyRutledge sure, the point is that in this scenario you don't need to *both* `unset` it and set it to an empty array. Simply doing the later is enough to clear it. – Mahn Jul 19 '15 at 16:02
0

To answer "why" someone might use it, I was tempted to use it since I had the $_POST values stored after the page refresh or while going from one page to another. My sense tells me this is not a good practice, but it works nevertheless.

3xCh1_23
  • 1,491
  • 1
  • 20
  • 39