PHP $_POST, $_GET, or $_REQUEST

Question

I have a functions file where I handle POST and GETS letting the user perform either a post or a get. It's more like an API call.

Should I be doing it like this or would using $_REQUEST handle both a POST and a GET?

if ($_SERVER['REQUEST_METHOD'] === "GET") {

    $function = $_GET['f'];
    $user_id  = $_GET['user_id'];
}
elseif ($_SERVER['REQUEST_METHOD'] === "POST") {

    $function = $_POST['f'];
    $user_id  = $_POST['user_id'];
}

$res = new stdClass();

if (isset($function)) {

    switch ($function) {    
         ....
    }
}

I like the way you're doing it now. `$_REQUEST` also potentially has `$_COOKIE` values, depending on the ini variable [variables_order](http://www.php.net/manual/en/ini.core.php#ini.variables-order) which may vary from system to system. Explicit is better than ambiguous. — Michael Berkowski, Jul 12 '13 at 14:58
Read the description of the documentation: http://php.net/manual/en/reserved.variables.request.php — , Jul 12 '13 at 14:59
be careful of mixed parameters from different sources ie posting y to index.php?x=1 with z in a cookie and having request contain x, y and z — Waygood, Jul 12 '13 at 15:11
@Waygood You should check your input anyway. Requests can be forged no matter how the data is sent to your server. Explicitly using `$_GET` or `$_POST` instead of `$_REQUEST` doesn't make it any safer. — GolezTrol, Jul 12 '13 at 15:25

score 4 · Accepted Answer · answered Jul 12 '13 at 15:01

4

The benefit that your current approach offers it that you can use the best method for each instance. There are some times when you would not want to GET since it just appends the data to the URL, exposing it to anyone who looks as well as exposing that "call" to anyone who knows how to use URLs for bad things.

If you are worried about catching calls that you not not be able to controll the request method, you could add the $_REQUEST as a last resort but I would suggest limiting what you use that for - example: just pulling data from the DB and not anything that modifies it.

answered Jul 12 '13 at 15:01

Robert DeBoer

1,715
2
16
26

The disadvantage is that he cannot mix $_REQUEST types (within the if statement of course) – rorypicko Jul 12 '13 at 15:04
People who know that, also know how to post things. That's not so hard either. It would be bad if your own page would pass sensitive information in the url, but on the receiving side it doesn't hurt to support it. It is easy for debugging purposes. – GolezTrol Jul 12 '13 at 15:05
2

Another disadvangtage is duplicating code! how about this `$vars = $_SERVER['REQUEST_METHOD'] === "GET" ? $_GET : $_POST;` `$vars['user_id']` – rorypicko Jul 12 '13 at 15:06
It would be `$user = ($_SERVER['REQUEST_METHOD'] === 'GET' ? $_GET['user_id'] : $_POST['user_id']);` – Robert DeBoer Jul 12 '13 at 15:12
@RobertDeBoer no, I am assinging all values from `$_POST` or `$_GET` to be accessable within `$var` so that you don't need the if statement every time you want to get a variable – rorypicko Jul 12 '13 at 15:56
@RoryPicko92 Right, see that now `$var= ($_SERVER['REQUEST_METHOD'] === 'GET' ? $_GET : $_POST);` – Robert DeBoer Jul 12 '13 at 15:59
@RobertDeBoer the parenthesis only add readability benefits, they are both programatically the same and return the same results. – rorypicko Jul 12 '13 at 16:01
Learn something new every day – Robert DeBoer Jul 12 '13 at 20:50
@RoryPicko92 would the assigment to `$var` cause a copy to occur (i.e. with added cpu/memmory expenses)? If so would this: `$vars = $_SERVER['REQUEST_METHOD'] === "GET" ? &$_GET : &$_POST;` prevent the copy (i.e. by is using the [php reference operator](http://www.php.net/manual/en/language.references.php)? )? – humanityANDpeace Mar 29 '14 at 21:57
@humanityANDpeace PHP does not duplicate on assignment, but on write. Take a look at this SO Q&A for more details and links to articles http://stackoverflow.com/questions/7993658/php-variables-reference-and-memory-usage – rorypicko Mar 31 '14 at 10:04

GolezTrol · Answer 2 · 2013-07-12T15:16:05.810

3

If you want to allow both, you can just use $_REQUEST. It's much easier if you don't care whether the value was POSTed or -er- GETted. Note, though, that $_REQUEST may contain cookies as well, based on settings in PHP.ini.

edited Jul 12 '13 at 15:16

answered Jul 12 '13 at 14:59

GolezTrol

114,394
18
182
210

1

"request_order: Note that the default distribution php.ini files does not contain the 'C' for cookies, due to security concerns.", meaning $_REQUEST can contain any of the 3, depending on the server config. – Luke Jul 12 '13 at 15:11

score 1 · Answer 3 · answered Jul 12 '13 at 15:06

$_REQUEST can be both $_POST and $_GET, but it can also be $_COOKIE as well, depending on the request_order or variables_order settings. Because it can also be neither of these depending on an ini setting, I wouldn't use it at all.

My recommendation is use $_GET and $_POST separately. They mean completely different things. You want to use a $_POST for an action, and a $_GET for fetching. If you want form filling based on $_GET you can use $_SERVER['REQUEST_METHOD'] == 'POST' to determine what is actually happening and toggle between the two.

score 0 · Answer 4 · edited Jul 12 '13 at 15:26

0

Yes you can, $_REQUEST handles both $_POST and $_GET.

edited Jul 12 '13 at 15:26

Sled

18,541
27
119
168

answered Jul 12 '13 at 15:00

Yuda Prawira

12,075
10
46
54

1

@GeorgeCummins 'or would using $_REQUEST handle both a POST and a GET?' – rorypicko Jul 12 '13 at 15:11

score 0 · Answer 5 · answered Jul 12 '13 at 15:03

0

$_REQUEST is the most convenient way to handle the both type of request ($_GET & $_POST). So use the $_REQUEST :

REQUEST METHOD IN PHP

answered Jul 12 '13 at 15:03

Harshal

3,562
9
36
65

PHP $_POST, $_GET, or $_REQUEST

5 Answers5