26

I've seen a lot of PHP code that handles form input in which the input field names contain square brackets. I understand that this somehow results in PHP arrays when a PHP script examines the $_POST variable.

Example HTML:

<form action='http://zzz.com' method='post'>
    <input name='fruit[1]' value='apple' />
    <input name='fruit[2]' value='banana' />
</form>

Example URL:

http://zzz.com?fruit[1]=apple&fruit[2]=banana

Example PHP:

assert($_POST['fruit'] === array(1=>'apple', 2=>'banana'));

My questions about this:

  • What is the mechanism behind it? At what point do these names that contain brackets get converted into arrays? Is this a feature of the HTTP protocol? Of web servers? Of the PHP language?

  • Continuing the previous question, is this a commonly used hack or a normal programming tool?

  • What are (all) the rules for using brackets in input field names?

  • Can multidimensional arrays be created this way?

flup
  • 26,937
  • 7
  • 52
  • 74
shealtiel
  • 8,020
  • 18
  • 50
  • 82
  • Thanks for catching that typo, @flup! I put 'PHP' back in the title (with better wording) because the question applies to PHP handling only. Hoping you concur. – Bob Stein Mar 24 '13 at 17:13

3 Answers3

16

What is the mechanism behind? At which point this names that merely contain brackets are converted to arrays? Is this a feature of the HTPP protocol? Of web servers? Of the PHP language?>

This is a feature of the PHP language. In fact, the HTTP protocol does not forbid the use of multiple identical GET/POST parameters. According to the HTTP spec, the following:

foo=bar&foo=baz

Should not result in foo == baz. These are two parameters with two different values. However, PHP will overwrite the former foo with the latest, resulting in $_POST['foo'] == 'baz', even if they could be parsed separately.

Continuing the previous question, is this a commonly used hack or a normal programming tool?

It depends on the point of view. In the PHP world, it is completely normal, as the language does not support the specification of multiple parameters of the same name without using the brackets []. In the HTTP world though, foo != foo[].

What are (all) the rules of using brackets in input field names?

The same as PHP arrays, except that you don't have to quote string keys.

Can multidimensional arrays be created this way?

Yes, you can.

netcoder
  • 66,435
  • 19
  • 125
  • 142
  • How can multidimensional arrays be created with this method? – Shawn Aug 28 '12 at 18:50
  • 1
    @Shawn: You mean like `foo[bar][baz]`? – netcoder Aug 28 '12 at 18:55
  • That would be the way to read the array. What do I use on my form elements to create such an array? – Shawn Aug 28 '12 at 19:01
  • @Shawn: Exactly the above: `name="foo[bar][baz]"` – netcoder Aug 28 '12 at 19:12
  • Oh I see, I was looking for something automatic like the unidimensional arrays `name=foo[]`, but I guess the computer can't guess which "dimension" to increase... Thanks for you help! – Shawn Aug 28 '12 at 19:37
  • And how the heck do I read from such a field with js? jQuery("input[name=a[bcd]").val() throws a Syntax error – Advanced May 14 '14 at 10:41
  • 1
    @Advanced: use `jQuery('input[name="a[bcd]"]')` (single quotes for the expression, double quotes for `name`). – netcoder May 14 '14 at 10:48
  • I need different information about this feature. How is it called so that I can use proper google search keywords? – Tomáš Zato Jan 09 '15 at 15:13
  • Note; this feature is also in Ruby on Rails https://medium.com/@soni.dumitru/parameter-naming-conventions-rails-forms-bf9bd68302b3 – Erikw Feb 17 '22 at 19:55
5

To my knowledge, this is a mechanism of PHP internally seeing (and parsing) elements passed via form (GET/POST) with the [] postfix and interpreting them as an array of elements. The HTTP protocol doesn't care, it merely passes the element's name with it's associated value in the query string.

It's been a normal programming tool as far back as I can remember (I think I even remember it more commonly used for multi-file uploads back when you had "add file" links that appended another element to the form, using the same name (with []) as the previous.)

The same rules that apply in PHP apply in the form. You can use [] to auto-index the elements (for generic lists) or explicitly list them using element IDs (e.g. file[1], file[2], etc. (following my previous example))

Yes, multi-dimensional arrays can be used.

For more information, check out PHP's very own _POST documentation (especially the comments)

Brad Christie
  • 100,477
  • 16
  • 156
  • 200
  • 1
    @Brad Christie: I would never advice to read comments at php.net due to they were written by newbies mostly and are not moderated. – zerkms Dec 28 '10 at 03:54
  • 3
    @zerkms: I beg to differ. Like MSDN, the comments are a good place to find common problems and work-arounds. Granted, you're right, there is bad code/poor practices on there, I often find more good information than bad within the comments. Anything not particularly helpful or misguided is often corrected by the more senior enthusiasts anyways. Besides, I don't think you can get in too much trouble trying the examples found on there. likewise, anyone who may suffer from performance or security flaws posted on there is at a level where they would know better anyways, IMHO of course. – Brad Christie Dec 28 '10 at 03:59
  • @Brad Christie: i think `better` cannot be applied to security ;-) Either application is well secured or secured a little better than nothing ;-) In this case it is better to not even see the "little better" solution, but find a solution that describes best practice. – zerkms Dec 28 '10 at 04:06
  • 1
    @zerkms: I guess my conclusion was if you're at a point where you're looking to the comments for "best practice", you're already in trouble. I personally have learned more failing then I have searching for the best way and applying only that. Just as any publicity is good publicity, any person's code is code you can learn from (albeit for positive or negative reasons). – Brad Christie Dec 28 '10 at 04:14
  • @zerkms anyone with a @php.net account can moderate comments. – scoates Dec 28 '10 at 04:39
  • @scoates: yes, but they don't do it. Or at least they don't remove comments with crap and evil code. – zerkms Dec 28 '10 at 04:45
  • @zerkm yes, there's crap in there. Yes, there's evil code in there. There are also plenty of gems that haven't made their way into the manual yet. To say they're not moderated is doing a disservice to those of us who have spent many hours moderating the (sometimes) hundreds of comments that come in every day; especially to those who still spend that time. http://news.php.net/php.notes ; Less complaining and more helping, please. – scoates Dec 28 '10 at 05:52
3

  • This is completely php language feature. HTTP knows nothing about arrays. In http either foo or bar[baz] is just a names of variable

  • It is a normal practice

  • Use them when it is handy for you. For example: to group several fields, that belong to one entity, such as news[title] + news[body]

  • Yes. TIAS

zerkms
  • 249,484
  • 69
  • 436
  • 539