1

This seems like a bit of a silly question, but I couldn't find a definitive answer either way and am not sure where to look.

I'm working on a new PHP code base, and have used $_GET in some places. However the person reviewing my code has stated that:

$_GET and $_POST will be phased out at some point in favour of $_REQUEST

I'm new to PHP, but this seems dubious as being able to know how URL variables were set is important for security. Is this statement correct?

  • 6
    That's nonsense, I'm afraid to say. `$_GET` and `$_POST` are more explicit than `$_REQUEST`, and in many cases therefore more secure since you don't have the possibility of values from `$_COOKIE` (for example) polluting your form input. – Michael Berkowski Aug 05 '13 at 00:56
  • 1
    Maybe the team's own agreed-upon standard is favoring `$_REQUEST`? There is nothing in the [superglobals documentation](http://php.net/manual/en/language.variables.superglobals.php) to indicate that they're being deprecated. – Michael Berkowski Aug 05 '13 at 00:58
  • http://php.net/manual/en/reserved.variables.get.php If it were getting phased, you would see a redbox like [this](http://www.php.net/manual/en/function.mysql-connect.php). – Dave Chen Aug 05 '13 at 00:58
  • 1
    If you're working as a team, this might be an order to switch to `$_REQUEST`, in that case, you should follow your orders. – Dave Chen Aug 05 '13 at 00:59
  • @MichaelBerkowski thats what I thought, but couldn't be sure. If its a convention thats one thing, but I don't like conventions based on falsehoods. –  Aug 05 '13 at 01:00
  • Please check out http://stackoverflow.com/questions/1924939/php-request-vs-get-and-post – Dave Chen Aug 05 '13 at 01:00
  • @DaveChen In general I agree with you, but I'm in a complex situation. Basically, if this "convention" doesn't make sense, I have the ability to refute and change it. –  Aug 05 '13 at 01:01
  • 1
    @LegoStormtroopr Yes, discuss it with the team - if `$_REQUEST` is what they want, so be it. But if they insist `$_GET/$_POST` are being deprecated, ask for a cited source. And if the source is not official PHP docs, but rather somebody's blog post for example, kindly inform that until the official docs mention deprecation (and they would, years in advance of it actually occurring) it is perfectly safe to use `$_GET/$_POST`. – Michael Berkowski Aug 05 '13 at 01:02
  • get the review to post on S.O explaining him\her self –  Aug 05 '13 at 01:03
  • Someone voted to close this as 'opinion-based'. I think that the deprecation of core functionality is pretty cut-and-dry. Either there is an official statement saying it will be deprecated or, there isn't. No statement means no official position, means no plans to deprecate. –  Aug 05 '13 at 01:24

2 Answers2

3

Absolutely not. The person reviewing your code is not aware of the differences between $_GET, $_POST, and $_REQUEST and the implications of using $_REQUEST instead of the more specific array.

Use $_REQUEST if you have a reason to not care about the verb being used for the request. Also remember that cookies appear in $_REQUEST.

Brad
  • 159,648
  • 54
  • 349
  • 530
  • The distinction between `$_GET` and `$_POST` is not the verb (although `$_POST` does only appear with POST requests) - `$_GET` is exclusively for variables appearing in the request URI, and `$_POST` for variables appearing in the request body. –  Aug 05 '13 at 01:11
  • @duskwuff, Agreed, but if you're submitting a form or AJAX request via GET, your data ends in the request URI (and thus in `$_GET`) and via POST, it shows up in POST data (and thus in `$_POST`). Yes, you can put in querystring data with a POST request, but this isn't really done much in practice. – Brad Aug 05 '13 at 01:13
  • @brad you could do a post to `example.com/foo.php?id=bar` and you'll have your `$_POST` values, but also `$_GET['id']`. So it is indeed possible to have `$_GET` values when the verb you are using is `POST`. – Carlos Campderrós Aug 06 '13 at 06:57
-1

I don't think so, GET and POST are two different methods used in parameters passing. And Their usages are quite different, if you use the GET method, parameters are passed directly in the url, and you can see the parameters in your server's log, while if you use POST method, parameters are not shown in the url, and there will be no trace of parameters in the log at all.

Besides, if you are familiar with the REST, you will find more difference. GET is used to get data from the service while POST is used to create new data entry in the service.

Hope helps!

BitHigher
  • 501
  • 3
  • 12
  • 2
    no RESTful, its not a framework. http://en.wikipedia.org/wiki/Representational_state_transfer –  Aug 05 '13 at 01:07