Related
I am using Laravel to create a RESTFUL application and I test the application with Postman. Currently, there is an issue for PATCH or PUT if the data sent from Postman with form-data.
// Parameter `{testimonial}` will be sent to backend.
Route::post ('testimonials/{testimonial}', 'TestimonialController#update');
// Parameter `{testimonial}` will not be sent to backend (`$request->all()` will be empty) if sent from Postman with form-data.
Route::patch ('testimonials/{testimonial}', 'TestimonialController#update');
Route::put ('testimonials/{testimonial}', 'TestimonialController#update');
Using form-data, $request->all() will be okay for POST.
Using x-www-form-urlencoded, $request->all() will be okay for PATCH, PUT, and POST.
However, if I am sending PUT and PATCH with form-data from Postman, the $request->all() will be empty (the parameters will not be sent to backend).
Right now the solution is to use POST for updating a model. I want to know why PATCH and PUT is not working when sent with form-data from Postman.
This is a known issue and the workaround suggestion as per the following Github comment is that when sending a PATCH / PUT requests you should do the following:
You should send POST and set _method to PUT (same as sending forms) to make your files visible
So essentially you send a POST request with a parameter which sets the actual method and Laravel seems to understand that.
As per the documentation:
Since HTML forms can't make PUT, PATCH, or DELETE requests, you will need to add a hidden _method field to spoof these HTTP verbs. The #method Blade directive can create this field for you:
<form action="/foo/bar" method="POST">
#method('PUT')
...
</form>
Alternatively, you can use the method_field helper function to do the above:
The method_field function generates an HTML hidden input field containing the spoofed value of the form's HTTP verb. For example, using Blade syntax:
<form method="POST">
{{ method_field('PUT') }}
</form>
I learnt how to solve it here on this post and I'd like to share what did I do.
The following image is how I setup the Postman to send a HTTP POST request and go into PUT Request and make it receive my files.
I'm not sure whether it is the right way to do a RESTFul API. But it works fine
so as everyone mentioned above and explained everything, but still i dont see the answer for cases when using a REST API so i fallowed #Caique Andrade answer and send a POST request and formed my URL link like this:
url = 'https://yourwebsite.com/api/v1/users/$id?_method=PUT';
$id is the variable id for the user.
?_method=PUT is added to the url POST request to spoof the request and it works
in my case i used Dart in flutter and sent a post request using Http package Laravel catches that POST request as a PUT request
Laravel PATCH and PUT method does not work with form-data, it's known issue of Symfony and even PHP (Google for that - Laravel use many Symfony foundation packages, include Request).
If you do not need to pass file(s) via request, change form-data to raw with json content-type. E.g: {"name":"changed"}. It will be read as php://input and your code should work well ($request->all() is now ["name" => "changed]).
If you need to pass file(s), in my opinion, DO NOT pass it within the REST API methods. You can write another method to do whatever you need with your file(s) (E.g: POST form-data -> upload file -> update db -> return a file path/url/even its base64 content), then you can use its output/result to continue with your patch/put method (raw with json content-type). I always do that when I work with files in API.
Hope this help!
InertiaJS Solution
I had the same problem. When no file was send, everything works perfectly, but when i send a file, none of the fields make it to the backend.
It seems that it's a PHP limitation, receiving no file via put, as said here before.
So, for those using InertiaJS, you need to make a post - instead of a put - call and add _method: "put" to your inertia form, like this:
updateForm: this.$inertia.form({
_method: "put",
"other fields"
}),
Your controller will understand it like a PUT call, but with the file accessible to the backend.
Source:
https://inertiajs.com/manual-visits#method
I hope it is not too late, or if someone is seeking help with the FormData interface of JavaScript. Here is the solution,
In Laravel, you can use #script47 answers above, for normal Ajax request you can append the data like this, (PS: I'm using same form for Add and Update so here is my code)
let _url = '';
let _type = 'POST';
let _formData = new FormData(this);
if(user_id == '' || user_id == null){
_url = "{{ route('users.store') }}";
}else{
_url = "{{ route('users.update', ':id') }}";
_url = _url.replace(':id', user_id);
_formData.append('_method', 'PUT');
// _type = 'PUT';
}
As mentioned, this isn't a symfony (or laravel, or any other framework) issue, it's a limitation of PHP.
After trawling through a good few RFCs for php core, the core development team seem somewhat resistant to implementing anything to do with modernising the handling of HTTP requests. The issue was first reported in 2011, it doesn't look any closer to having a native solution.
That said, I managed to find this PECL extension. I'm not really very familiar with pecl, and couldn't seem to get it working using pear. but I'm using CentOS and Remi PHP which has a yum package.
I ran yum install php-pecl-apfd and it literally fixed the issue straight away (well I had to restart my docker containers but that was a given).
That is, request->all() and files->get() started working again with PATCH and PUT requests using multipart/form-data.
I believe there are other packages in various flavours of linux and I'm sure anybody with more knowledge of pear/pecl/general php extensions could get it running on windows or mac with no issue.
As #DazBaldwin says, this is a php limitation and can be solve installing apfd extension. On windows just download the dll file here according to your system settings and put php_apfd.dll on path-to-php/ext directory finally put extension=apfd in php.ini file.
it worked for me on windows.
The form media types do not have any semantics defined for PATCH, so it's really a bad idea to use them (see https://www.rfc-editor.org/errata/eid3169).
For PUT, the expected behaviour would be to store just the form-encoded payload (in that format). Is this really what you want here?
If You Route Method Is Patch And Use Postman For Api Request
If you want to send a file, for the controller, when using postman, you must set the sending mode to the post method and in the form-data section
key = _Method
Value = PATCH
You do not have to set the file so that you do not encounter any errors when sending the request.
You can also create a custom function in your controller to update the product then create an api route.
public function updateTestimonial($id, Request $request) {
$testimonial = Testimonial::where('id', '=', $id)->first();
//update logic
}
Api route
Route::post('updatetestimonial/{id}', 'Testimonial#updateTestimonial');
Use a post request and pass testimonial id.
submitForm() {
let data = new FormData();
data.append('id', this.testtimonial.id);
data.append('description', this.testtimonial.description);
axios.post("/api/updatetestimonial/" + this.testimonial.id , data, {
headers: {
'accept': 'application/json',
'Accept-Language': 'en-US,en;q=0.8',
'Content-Type': 'multipart/form-data',
}
}).then(({ data }) => {
console.log("success");
});
},
I know this article is old.
But unfortunately, PHP still does not pay attention to form-data other than the Post method.
But you can use the library I wrote for this purpose:
composer require alireaza/php-form-data
You can also use composer require alireaza/laravel-form-data in Laravel.
You can use post method.
const form = new
just append form.append('_method', 'PATCH');
I have been directed to use the method php://input instead of $_POST when interacting with Ajax requests from JQuery. What I do not understand is the benefits of using this vs the global method of $_POST or $_GET.
The reason is that php://input returns all the raw data after the HTTP-headers of the request, regardless of the content type.
The PHP superglobal $_POST, only is supposed to wrap data that is either
application/x-www-form-urlencoded (standard content type for simple form-posts) or
multipart/form-data (mostly used for file uploads)
This is because these are the only content types that must be supported by user agents. So the server and PHP traditionally don't expect to receive any other content type (which doesn't mean they couldn't).
So, if you simply POST a good old HTML form, the request looks something like this:
POST /page.php HTTP/1.1
key1=value1&key2=value2&key3=value3
But if you are working with Ajax a lot, this probaby also includes exchanging more complex data with types (string, int, bool) and structures (arrays, objects), so in most cases JSON is the best choice. But a request with a JSON-payload would look something like this:
POST /page.php HTTP/1.1
{"key1":"value1","key2":"value2","key3":"value3"}
The content would now be application/json (or at least none of the above mentioned), so PHP's $_POST-wrapper doesn't know how to handle that (yet).
The data is still there, you just can't access it through the wrapper. So you need to fetch it yourself in raw format with file_get_contents('php://input') (as long as it's not multipart/form-data-encoded).
This is also how you would access XML-data or any other non-standard content type.
First, a basic truth about PHP.
PHP was not designed to explicitly give you a pure REST (GET, POST, PUT, PATCH, DELETE) like interface for handling HTTP requests.
However, the $_SERVER, $_COOKIE, $_POST, $_GET, and $_FILES superglobals, and the function filter_input_array() are very useful for the average person's / layman's needs.
The number one hidden advantage of $_POST (and $_GET) is that your input data is url-decoded automatically by PHP. You never even think about having to do it, especially for query string parameters within a standard GET request, or HTTP body data submitted with a POST request.
Other HTTP Request Methods
Those studying the underlying HTTP protocol and its various request methods come to understand that there are many HTTP request methods, including the often referenced PUT, PATCH (not used in Google's Apigee), and DELETE.
In PHP, there are no superglobals or input filter functions for getting HTTP request body data when POST is not used. What are disciples of Roy Fielding to do? ;-)
However, then you learn more ...
That being said, as you advance in your PHP programming knowledge and want to use JavaScript's XmlHttpRequest object (jQuery for some), you come to see the limitation of this scheme.
$_POST limits you to the use of two media types in the HTTP Content-Type header:
application/x-www-form-urlencoded, and
multipart/form-data
Thus, if you want to send data values to PHP on the server, and have it show up in the $_POST superglobal, then you must urlencode it on the client-side and send said data as key/value pairs--an inconvenient step for novices (especially when trying to figure out if different parts of the URL require different forms of urlencoding: normal, raw, etc..).
For all you jQuery users, the $.ajax() method is converting your JSON to URL encoded key/value pairs before transmitting them to the server. You can override this behavior by setting processData: false. Just read the $.ajax() documentation, and don't forget to send the correct media type in the Content-Type header.
php://input, but ...
Even if you use php://input instead of $_POST for your HTTP POST request body data, it will not work with an HTTP Content-Type of multipart/form-data This is the content type that you use on an HTML form when you want to allow file uploads!
<form enctype="multipart/form-data" accept-charset="utf-8" action="post">
<input type="file" name="resume">
</form>
Therefore, in traditional PHP, to deal with a diversity of content types from an HTTP POST request, you will learn to use $_POST or filter_input_array(POST), $_FILES, and php://input. There is no way to just use one, universal input source for HTTP POST requests in PHP.
You cannot get files through $_POST, filter_input_array(POST), or php://input, and you cannot get JSON/XML/YAML in either filter_input_array(POST) or $_POST.
PHP Manual: php://input
php://input is a read-only stream that allows you to read raw data
from the request body...php://input is not available with
enctype="multipart/form-data".
PHP Frameworks to the rescue?
PHP frameworks like Codeigniter 4 and Laravel use a facade to provide a cleaner interface (IncomingRequest or Request objects) to the above. This is why professional PHP developers use frameworks instead of raw PHP.
Of course, if you like to program, you can devise your own facade object to provide what frameworks do. It is because I have taken time to investigate this issue that I am able to write this answer.
URL encoding? What the heck!!!???
Typically, if you are doing a normal, synchronous (when the entire page redraws) HTTP requests with an HTML form, the user-agent (web browser) will urlencode your form data for you. If you want to do an asynchronous HTTP requests using the XmlHttpRequest object, then you must fashion a urlencoded string and send it, if you want that data to show up in the $_POST superglobal.
How in touch are you with JavaScript? :-)
Converting from a JavaScript array or object to a urlencoded string bothers many developers (even with new APIs like Form Data). They would much rather just be able to send JSON, and it would be more efficient for the client code to do so.
Remember (wink, wink), the average web developer does not learn to use the XmlHttpRequest object directly, global functions, string functions, array functions, and regular expressions like you and I ;-). Urlencoding for them is a nightmare. ;-)
PHP, what gives?
PHP's lack of intuitive XML and JSON handling turns many people off. You would think it would be part of PHP by now (sigh).
So many media types (MIME types in the past)
XML, JSON, and YAML all have media types that can be put into an HTTP Content-Type header.
application/xml
applicaiton/json
application/yaml (although IANA has no official designation listed)
Look how many media-types (formerly, MIME types) are defined by IANA.
Look how many HTTP headers there are.
php://input or bust
Using the php://input stream allows you to circumvent the baby-sitting / hand holding level of abstraction that PHP has forced on the world. :-) With great power comes great responsibility!
Now, before you deal with data values streamed through php://input, you should / must do a few things.
Determine if the correct HTTP method has been indicated (GET, POST,
PUT, PATCH, DELETE, ...)
Determine if the HTTP Content-Type header has been transmitted.
Determine if the value for the Content-Type is the desired media
type.
Determine if the data sent is well formed XML / JSON / YAML /
etc.
If necessary, convert the data to a PHP datatype: array or
object.
If any of these basic checks or conversions fails, throw an exception!
What about the character encoding?
AH, HA! Yes, you might want the data stream being sent into your application to be UTF-8 encoded, but how can you know if it is or not?
Two critical problems.
You do not know how much data is coming through php://input.
You do not know for certain the current encoding of the data stream.
Are you going to attempt to handle stream data without knowing how much is there first? That is a terrible idea. You cannot rely exclusively on the HTTP Content-Length header for guidance on the size of streamed input because it can be spoofed.
You are going to need a:
Stream size detection algorithm.
Application defined stream size limits (Apache / Nginx / PHP limits may be too broad).
Are you going to attempt to convert stream data to UTF-8 without knowing the current encoding of the stream? How? The iconv stream filter (iconv stream filter example) seems to want a starting and ending encoding, like this.
'convert.iconv.ISO-8859-1/UTF-8'
Thus, if you are conscientious, you will need:
Stream encoding detection algorithm.
Dynamic / runtime stream filter definition algorithm (because you cannot know the starting encoding a priori).
(Update: 'convert.iconv.UTF-8/UTF-8' will force everything to UTF-8, but you still have to account for characters that the iconv library might not know how to translate. In other words, you have to some how define what action to take when a character cannot be translated: 1) Insert a dummy character, 2) Fail / throw and exception).
You cannot rely exclusively on the HTTP Content-Encoding header, as this might indicate something like compression as in the following. This is not what you want to make a decision off of in regards to iconv.
Content-Encoding: gzip
Therefore, the general steps might be ...
Part I: HTTP Request Related
Determine if the correct HTTP method has been indicated (GET, POST,
PUT, PATCH, DELETE, ...)
Determine if the HTTP Content-Type header has been transmitted.
Determine if the value for the Content-Type is the desired media
type.
Part II: Stream Data Related
Determine the size of the input stream (optional, but recommended).
Determine the encoding of the input stream.
If necessary, convert the input stream to the desired character
encoding (UTF-8).
If necessary, reverse any application level compression or encryption, and then repeat steps 4, 5, and 6.
Part III: Data Type Related
Determine if the data sent is well formed XML / JSON / YMAL /
etc.
(Remember, the data can still be a URL encoded string which you must then parse and URL decode).
If necessary, convert the data to a PHP datatype: array or
object.
Part IV: Data Value Related
Filter input data.
Validate input data.
Now do you see?
The $_POST superglobal, along with php.ini settings for limits on input, are simpler for the layman. However, dealing with character encoding is much more intuitive and efficient when using streams because there is no need to loop through superglobals (or arrays, generally) to check input values for the proper encoding.
php://input can give you the raw bytes of the data. This is useful if the POSTed data is a JSON encoded structure, which is often the case for an AJAX POST request.
Here's a function to do just that:
/**
* Returns the JSON encoded POST data, if any, as an object.
*
* #return Object|null
*/
private function retrieveJsonPostData()
{
// get the raw POST data
$rawData = file_get_contents("php://input");
// this returns null if not valid json
return json_decode($rawData);
}
The $_POST array is more useful when you're handling key-value data from a form, submitted by a traditional POST. This only works if the POSTed data is in a recognised format, usually application/x-www-form-urlencoded (see http://www.w3.org/TR/html4/interact/forms.html#h-17.13.4 for details).
If post data is malformed, $_POST will not contain anything. Yet, php://input will have the malformed string.
For example there is some ajax applications, that do not form correct post key-value sequence for uploading a file, and just dump all the file as post data, without variable names or anything.
$_POST will be empty, $_FILES empty also, and php://input will contain exact file, written as a string.
if (strtoupper($_SERVER['REQUEST_METHOD']) != 'POST') {
throw new Exception('Only POST requests are allowed');
}
// Make sure Content-Type is application/json
$content_type = isset($_SERVER['CONTENT_TYPE']) ? $_SERVER['CONTENT_TYPE'] : '';
if (stripos($content_type, 'application/json') === false) {
throw new Exception('Content-Type must be application/json');
}
// Read the input stream
$body = file_get_contents("php://input");
// Decode the JSON object
$object = json_decode($body, true);
Simple example of how to use it
<?php
if(!isset($_POST) || empty($_POST)) {
?>
<form name="form1" method="post" action="">
<input type="text" name="textfield"><br />
<input type="submit" name="Submit" value="submit">
</form>
<?php
} else {
$example = file_get_contents("php://input");
echo $example; }
?>
I am using Laravel to create a RESTFUL application and I test the application with Postman. Currently, there is an issue for PATCH or PUT if the data sent from Postman with form-data.
// Parameter `{testimonial}` will be sent to backend.
Route::post ('testimonials/{testimonial}', 'TestimonialController#update');
// Parameter `{testimonial}` will not be sent to backend (`$request->all()` will be empty) if sent from Postman with form-data.
Route::patch ('testimonials/{testimonial}', 'TestimonialController#update');
Route::put ('testimonials/{testimonial}', 'TestimonialController#update');
Using form-data, $request->all() will be okay for POST.
Using x-www-form-urlencoded, $request->all() will be okay for PATCH, PUT, and POST.
However, if I am sending PUT and PATCH with form-data from Postman, the $request->all() will be empty (the parameters will not be sent to backend).
Right now the solution is to use POST for updating a model. I want to know why PATCH and PUT is not working when sent with form-data from Postman.
This is a known issue and the workaround suggestion as per the following Github comment is that when sending a PATCH / PUT requests you should do the following:
You should send POST and set _method to PUT (same as sending forms) to make your files visible
So essentially you send a POST request with a parameter which sets the actual method and Laravel seems to understand that.
As per the documentation:
Since HTML forms can't make PUT, PATCH, or DELETE requests, you will need to add a hidden _method field to spoof these HTTP verbs. The #method Blade directive can create this field for you:
<form action="/foo/bar" method="POST">
#method('PUT')
...
</form>
Alternatively, you can use the method_field helper function to do the above:
The method_field function generates an HTML hidden input field containing the spoofed value of the form's HTTP verb. For example, using Blade syntax:
<form method="POST">
{{ method_field('PUT') }}
</form>
I learnt how to solve it here on this post and I'd like to share what did I do.
The following image is how I setup the Postman to send a HTTP POST request and go into PUT Request and make it receive my files.
I'm not sure whether it is the right way to do a RESTFul API. But it works fine
so as everyone mentioned above and explained everything, but still i dont see the answer for cases when using a REST API so i fallowed #Caique Andrade answer and send a POST request and formed my URL link like this:
url = 'https://yourwebsite.com/api/v1/users/$id?_method=PUT';
$id is the variable id for the user.
?_method=PUT is added to the url POST request to spoof the request and it works
in my case i used Dart in flutter and sent a post request using Http package Laravel catches that POST request as a PUT request
Laravel PATCH and PUT method does not work with form-data, it's known issue of Symfony and even PHP (Google for that - Laravel use many Symfony foundation packages, include Request).
If you do not need to pass file(s) via request, change form-data to raw with json content-type. E.g: {"name":"changed"}. It will be read as php://input and your code should work well ($request->all() is now ["name" => "changed]).
If you need to pass file(s), in my opinion, DO NOT pass it within the REST API methods. You can write another method to do whatever you need with your file(s) (E.g: POST form-data -> upload file -> update db -> return a file path/url/even its base64 content), then you can use its output/result to continue with your patch/put method (raw with json content-type). I always do that when I work with files in API.
Hope this help!
InertiaJS Solution
I had the same problem. When no file was send, everything works perfectly, but when i send a file, none of the fields make it to the backend.
It seems that it's a PHP limitation, receiving no file via put, as said here before.
So, for those using InertiaJS, you need to make a post - instead of a put - call and add _method: "put" to your inertia form, like this:
updateForm: this.$inertia.form({
_method: "put",
"other fields"
}),
Your controller will understand it like a PUT call, but with the file accessible to the backend.
Source:
https://inertiajs.com/manual-visits#method
I hope it is not too late, or if someone is seeking help with the FormData interface of JavaScript. Here is the solution,
In Laravel, you can use #script47 answers above, for normal Ajax request you can append the data like this, (PS: I'm using same form for Add and Update so here is my code)
let _url = '';
let _type = 'POST';
let _formData = new FormData(this);
if(user_id == '' || user_id == null){
_url = "{{ route('users.store') }}";
}else{
_url = "{{ route('users.update', ':id') }}";
_url = _url.replace(':id', user_id);
_formData.append('_method', 'PUT');
// _type = 'PUT';
}
As mentioned, this isn't a symfony (or laravel, or any other framework) issue, it's a limitation of PHP.
After trawling through a good few RFCs for php core, the core development team seem somewhat resistant to implementing anything to do with modernising the handling of HTTP requests. The issue was first reported in 2011, it doesn't look any closer to having a native solution.
That said, I managed to find this PECL extension. I'm not really very familiar with pecl, and couldn't seem to get it working using pear. but I'm using CentOS and Remi PHP which has a yum package.
I ran yum install php-pecl-apfd and it literally fixed the issue straight away (well I had to restart my docker containers but that was a given).
That is, request->all() and files->get() started working again with PATCH and PUT requests using multipart/form-data.
I believe there are other packages in various flavours of linux and I'm sure anybody with more knowledge of pear/pecl/general php extensions could get it running on windows or mac with no issue.
As #DazBaldwin says, this is a php limitation and can be solve installing apfd extension. On windows just download the dll file here according to your system settings and put php_apfd.dll on path-to-php/ext directory finally put extension=apfd in php.ini file.
it worked for me on windows.
The form media types do not have any semantics defined for PATCH, so it's really a bad idea to use them (see https://www.rfc-editor.org/errata/eid3169).
For PUT, the expected behaviour would be to store just the form-encoded payload (in that format). Is this really what you want here?
If You Route Method Is Patch And Use Postman For Api Request
If you want to send a file, for the controller, when using postman, you must set the sending mode to the post method and in the form-data section
key = _Method
Value = PATCH
You do not have to set the file so that you do not encounter any errors when sending the request.
You can also create a custom function in your controller to update the product then create an api route.
public function updateTestimonial($id, Request $request) {
$testimonial = Testimonial::where('id', '=', $id)->first();
//update logic
}
Api route
Route::post('updatetestimonial/{id}', 'Testimonial#updateTestimonial');
Use a post request and pass testimonial id.
submitForm() {
let data = new FormData();
data.append('id', this.testtimonial.id);
data.append('description', this.testtimonial.description);
axios.post("/api/updatetestimonial/" + this.testimonial.id , data, {
headers: {
'accept': 'application/json',
'Accept-Language': 'en-US,en;q=0.8',
'Content-Type': 'multipart/form-data',
}
}).then(({ data }) => {
console.log("success");
});
},
I know this article is old.
But unfortunately, PHP still does not pay attention to form-data other than the Post method.
But you can use the library I wrote for this purpose:
composer require alireaza/php-form-data
You can also use composer require alireaza/laravel-form-data in Laravel.
You can use post method.
const form = new
just append form.append('_method', 'PATCH');
I have been directed to use the method php://input instead of $_POST when interacting with Ajax requests from JQuery. What I do not understand is the benefits of using this vs the global method of $_POST or $_GET.
The reason is that php://input returns all the raw data after the HTTP-headers of the request, regardless of the content type.
The PHP superglobal $_POST, only is supposed to wrap data that is either
application/x-www-form-urlencoded (standard content type for simple form-posts) or
multipart/form-data (mostly used for file uploads)
This is because these are the only content types that must be supported by user agents. So the server and PHP traditionally don't expect to receive any other content type (which doesn't mean they couldn't).
So, if you simply POST a good old HTML form, the request looks something like this:
POST /page.php HTTP/1.1
key1=value1&key2=value2&key3=value3
But if you are working with Ajax a lot, this probaby also includes exchanging more complex data with types (string, int, bool) and structures (arrays, objects), so in most cases JSON is the best choice. But a request with a JSON-payload would look something like this:
POST /page.php HTTP/1.1
{"key1":"value1","key2":"value2","key3":"value3"}
The content would now be application/json (or at least none of the above mentioned), so PHP's $_POST-wrapper doesn't know how to handle that (yet).
The data is still there, you just can't access it through the wrapper. So you need to fetch it yourself in raw format with file_get_contents('php://input') (as long as it's not multipart/form-data-encoded).
This is also how you would access XML-data or any other non-standard content type.
First, a basic truth about PHP.
PHP was not designed to explicitly give you a pure REST (GET, POST, PUT, PATCH, DELETE) like interface for handling HTTP requests.
However, the $_SERVER, $_COOKIE, $_POST, $_GET, and $_FILES superglobals, and the function filter_input_array() are very useful for the average person's / layman's needs.
The number one hidden advantage of $_POST (and $_GET) is that your input data is url-decoded automatically by PHP. You never even think about having to do it, especially for query string parameters within a standard GET request, or HTTP body data submitted with a POST request.
Other HTTP Request Methods
Those studying the underlying HTTP protocol and its various request methods come to understand that there are many HTTP request methods, including the often referenced PUT, PATCH (not used in Google's Apigee), and DELETE.
In PHP, there are no superglobals or input filter functions for getting HTTP request body data when POST is not used. What are disciples of Roy Fielding to do? ;-)
However, then you learn more ...
That being said, as you advance in your PHP programming knowledge and want to use JavaScript's XmlHttpRequest object (jQuery for some), you come to see the limitation of this scheme.
$_POST limits you to the use of two media types in the HTTP Content-Type header:
application/x-www-form-urlencoded, and
multipart/form-data
Thus, if you want to send data values to PHP on the server, and have it show up in the $_POST superglobal, then you must urlencode it on the client-side and send said data as key/value pairs--an inconvenient step for novices (especially when trying to figure out if different parts of the URL require different forms of urlencoding: normal, raw, etc..).
For all you jQuery users, the $.ajax() method is converting your JSON to URL encoded key/value pairs before transmitting them to the server. You can override this behavior by setting processData: false. Just read the $.ajax() documentation, and don't forget to send the correct media type in the Content-Type header.
php://input, but ...
Even if you use php://input instead of $_POST for your HTTP POST request body data, it will not work with an HTTP Content-Type of multipart/form-data This is the content type that you use on an HTML form when you want to allow file uploads!
<form enctype="multipart/form-data" accept-charset="utf-8" action="post">
<input type="file" name="resume">
</form>
Therefore, in traditional PHP, to deal with a diversity of content types from an HTTP POST request, you will learn to use $_POST or filter_input_array(POST), $_FILES, and php://input. There is no way to just use one, universal input source for HTTP POST requests in PHP.
You cannot get files through $_POST, filter_input_array(POST), or php://input, and you cannot get JSON/XML/YAML in either filter_input_array(POST) or $_POST.
PHP Manual: php://input
php://input is a read-only stream that allows you to read raw data
from the request body...php://input is not available with
enctype="multipart/form-data".
PHP Frameworks to the rescue?
PHP frameworks like Codeigniter 4 and Laravel use a facade to provide a cleaner interface (IncomingRequest or Request objects) to the above. This is why professional PHP developers use frameworks instead of raw PHP.
Of course, if you like to program, you can devise your own facade object to provide what frameworks do. It is because I have taken time to investigate this issue that I am able to write this answer.
URL encoding? What the heck!!!???
Typically, if you are doing a normal, synchronous (when the entire page redraws) HTTP requests with an HTML form, the user-agent (web browser) will urlencode your form data for you. If you want to do an asynchronous HTTP requests using the XmlHttpRequest object, then you must fashion a urlencoded string and send it, if you want that data to show up in the $_POST superglobal.
How in touch are you with JavaScript? :-)
Converting from a JavaScript array or object to a urlencoded string bothers many developers (even with new APIs like Form Data). They would much rather just be able to send JSON, and it would be more efficient for the client code to do so.
Remember (wink, wink), the average web developer does not learn to use the XmlHttpRequest object directly, global functions, string functions, array functions, and regular expressions like you and I ;-). Urlencoding for them is a nightmare. ;-)
PHP, what gives?
PHP's lack of intuitive XML and JSON handling turns many people off. You would think it would be part of PHP by now (sigh).
So many media types (MIME types in the past)
XML, JSON, and YAML all have media types that can be put into an HTTP Content-Type header.
application/xml
applicaiton/json
application/yaml (although IANA has no official designation listed)
Look how many media-types (formerly, MIME types) are defined by IANA.
Look how many HTTP headers there are.
php://input or bust
Using the php://input stream allows you to circumvent the baby-sitting / hand holding level of abstraction that PHP has forced on the world. :-) With great power comes great responsibility!
Now, before you deal with data values streamed through php://input, you should / must do a few things.
Determine if the correct HTTP method has been indicated (GET, POST,
PUT, PATCH, DELETE, ...)
Determine if the HTTP Content-Type header has been transmitted.
Determine if the value for the Content-Type is the desired media
type.
Determine if the data sent is well formed XML / JSON / YAML /
etc.
If necessary, convert the data to a PHP datatype: array or
object.
If any of these basic checks or conversions fails, throw an exception!
What about the character encoding?
AH, HA! Yes, you might want the data stream being sent into your application to be UTF-8 encoded, but how can you know if it is or not?
Two critical problems.
You do not know how much data is coming through php://input.
You do not know for certain the current encoding of the data stream.
Are you going to attempt to handle stream data without knowing how much is there first? That is a terrible idea. You cannot rely exclusively on the HTTP Content-Length header for guidance on the size of streamed input because it can be spoofed.
You are going to need a:
Stream size detection algorithm.
Application defined stream size limits (Apache / Nginx / PHP limits may be too broad).
Are you going to attempt to convert stream data to UTF-8 without knowing the current encoding of the stream? How? The iconv stream filter (iconv stream filter example) seems to want a starting and ending encoding, like this.
'convert.iconv.ISO-8859-1/UTF-8'
Thus, if you are conscientious, you will need:
Stream encoding detection algorithm.
Dynamic / runtime stream filter definition algorithm (because you cannot know the starting encoding a priori).
(Update: 'convert.iconv.UTF-8/UTF-8' will force everything to UTF-8, but you still have to account for characters that the iconv library might not know how to translate. In other words, you have to some how define what action to take when a character cannot be translated: 1) Insert a dummy character, 2) Fail / throw and exception).
You cannot rely exclusively on the HTTP Content-Encoding header, as this might indicate something like compression as in the following. This is not what you want to make a decision off of in regards to iconv.
Content-Encoding: gzip
Therefore, the general steps might be ...
Part I: HTTP Request Related
Determine if the correct HTTP method has been indicated (GET, POST,
PUT, PATCH, DELETE, ...)
Determine if the HTTP Content-Type header has been transmitted.
Determine if the value for the Content-Type is the desired media
type.
Part II: Stream Data Related
Determine the size of the input stream (optional, but recommended).
Determine the encoding of the input stream.
If necessary, convert the input stream to the desired character
encoding (UTF-8).
If necessary, reverse any application level compression or encryption, and then repeat steps 4, 5, and 6.
Part III: Data Type Related
Determine if the data sent is well formed XML / JSON / YMAL /
etc.
(Remember, the data can still be a URL encoded string which you must then parse and URL decode).
If necessary, convert the data to a PHP datatype: array or
object.
Part IV: Data Value Related
Filter input data.
Validate input data.
Now do you see?
The $_POST superglobal, along with php.ini settings for limits on input, are simpler for the layman. However, dealing with character encoding is much more intuitive and efficient when using streams because there is no need to loop through superglobals (or arrays, generally) to check input values for the proper encoding.
php://input can give you the raw bytes of the data. This is useful if the POSTed data is a JSON encoded structure, which is often the case for an AJAX POST request.
Here's a function to do just that:
/**
* Returns the JSON encoded POST data, if any, as an object.
*
* #return Object|null
*/
private function retrieveJsonPostData()
{
// get the raw POST data
$rawData = file_get_contents("php://input");
// this returns null if not valid json
return json_decode($rawData);
}
The $_POST array is more useful when you're handling key-value data from a form, submitted by a traditional POST. This only works if the POSTed data is in a recognised format, usually application/x-www-form-urlencoded (see http://www.w3.org/TR/html4/interact/forms.html#h-17.13.4 for details).
If post data is malformed, $_POST will not contain anything. Yet, php://input will have the malformed string.
For example there is some ajax applications, that do not form correct post key-value sequence for uploading a file, and just dump all the file as post data, without variable names or anything.
$_POST will be empty, $_FILES empty also, and php://input will contain exact file, written as a string.
if (strtoupper($_SERVER['REQUEST_METHOD']) != 'POST') {
throw new Exception('Only POST requests are allowed');
}
// Make sure Content-Type is application/json
$content_type = isset($_SERVER['CONTENT_TYPE']) ? $_SERVER['CONTENT_TYPE'] : '';
if (stripos($content_type, 'application/json') === false) {
throw new Exception('Content-Type must be application/json');
}
// Read the input stream
$body = file_get_contents("php://input");
// Decode the JSON object
$object = json_decode($body, true);
Simple example of how to use it
<?php
if(!isset($_POST) || empty($_POST)) {
?>
<form name="form1" method="post" action="">
<input type="text" name="textfield"><br />
<input type="submit" name="Submit" value="submit">
</form>
<?php
} else {
$example = file_get_contents("php://input");
echo $example; }
?>
I have been directed to use the method php://input instead of $_POST when interacting with Ajax requests from JQuery. What I do not understand is the benefits of using this vs the global method of $_POST or $_GET.
The reason is that php://input returns all the raw data after the HTTP-headers of the request, regardless of the content type.
The PHP superglobal $_POST, only is supposed to wrap data that is either
application/x-www-form-urlencoded (standard content type for simple form-posts) or
multipart/form-data (mostly used for file uploads)
This is because these are the only content types that must be supported by user agents. So the server and PHP traditionally don't expect to receive any other content type (which doesn't mean they couldn't).
So, if you simply POST a good old HTML form, the request looks something like this:
POST /page.php HTTP/1.1
key1=value1&key2=value2&key3=value3
But if you are working with Ajax a lot, this probaby also includes exchanging more complex data with types (string, int, bool) and structures (arrays, objects), so in most cases JSON is the best choice. But a request with a JSON-payload would look something like this:
POST /page.php HTTP/1.1
{"key1":"value1","key2":"value2","key3":"value3"}
The content would now be application/json (or at least none of the above mentioned), so PHP's $_POST-wrapper doesn't know how to handle that (yet).
The data is still there, you just can't access it through the wrapper. So you need to fetch it yourself in raw format with file_get_contents('php://input') (as long as it's not multipart/form-data-encoded).
This is also how you would access XML-data or any other non-standard content type.
First, a basic truth about PHP.
PHP was not designed to explicitly give you a pure REST (GET, POST, PUT, PATCH, DELETE) like interface for handling HTTP requests.
However, the $_SERVER, $_COOKIE, $_POST, $_GET, and $_FILES superglobals, and the function filter_input_array() are very useful for the average person's / layman's needs.
The number one hidden advantage of $_POST (and $_GET) is that your input data is url-decoded automatically by PHP. You never even think about having to do it, especially for query string parameters within a standard GET request, or HTTP body data submitted with a POST request.
Other HTTP Request Methods
Those studying the underlying HTTP protocol and its various request methods come to understand that there are many HTTP request methods, including the often referenced PUT, PATCH (not used in Google's Apigee), and DELETE.
In PHP, there are no superglobals or input filter functions for getting HTTP request body data when POST is not used. What are disciples of Roy Fielding to do? ;-)
However, then you learn more ...
That being said, as you advance in your PHP programming knowledge and want to use JavaScript's XmlHttpRequest object (jQuery for some), you come to see the limitation of this scheme.
$_POST limits you to the use of two media types in the HTTP Content-Type header:
application/x-www-form-urlencoded, and
multipart/form-data
Thus, if you want to send data values to PHP on the server, and have it show up in the $_POST superglobal, then you must urlencode it on the client-side and send said data as key/value pairs--an inconvenient step for novices (especially when trying to figure out if different parts of the URL require different forms of urlencoding: normal, raw, etc..).
For all you jQuery users, the $.ajax() method is converting your JSON to URL encoded key/value pairs before transmitting them to the server. You can override this behavior by setting processData: false. Just read the $.ajax() documentation, and don't forget to send the correct media type in the Content-Type header.
php://input, but ...
Even if you use php://input instead of $_POST for your HTTP POST request body data, it will not work with an HTTP Content-Type of multipart/form-data This is the content type that you use on an HTML form when you want to allow file uploads!
<form enctype="multipart/form-data" accept-charset="utf-8" action="post">
<input type="file" name="resume">
</form>
Therefore, in traditional PHP, to deal with a diversity of content types from an HTTP POST request, you will learn to use $_POST or filter_input_array(POST), $_FILES, and php://input. There is no way to just use one, universal input source for HTTP POST requests in PHP.
You cannot get files through $_POST, filter_input_array(POST), or php://input, and you cannot get JSON/XML/YAML in either filter_input_array(POST) or $_POST.
PHP Manual: php://input
php://input is a read-only stream that allows you to read raw data
from the request body...php://input is not available with
enctype="multipart/form-data".
PHP Frameworks to the rescue?
PHP frameworks like Codeigniter 4 and Laravel use a facade to provide a cleaner interface (IncomingRequest or Request objects) to the above. This is why professional PHP developers use frameworks instead of raw PHP.
Of course, if you like to program, you can devise your own facade object to provide what frameworks do. It is because I have taken time to investigate this issue that I am able to write this answer.
URL encoding? What the heck!!!???
Typically, if you are doing a normal, synchronous (when the entire page redraws) HTTP requests with an HTML form, the user-agent (web browser) will urlencode your form data for you. If you want to do an asynchronous HTTP requests using the XmlHttpRequest object, then you must fashion a urlencoded string and send it, if you want that data to show up in the $_POST superglobal.
How in touch are you with JavaScript? :-)
Converting from a JavaScript array or object to a urlencoded string bothers many developers (even with new APIs like Form Data). They would much rather just be able to send JSON, and it would be more efficient for the client code to do so.
Remember (wink, wink), the average web developer does not learn to use the XmlHttpRequest object directly, global functions, string functions, array functions, and regular expressions like you and I ;-). Urlencoding for them is a nightmare. ;-)
PHP, what gives?
PHP's lack of intuitive XML and JSON handling turns many people off. You would think it would be part of PHP by now (sigh).
So many media types (MIME types in the past)
XML, JSON, and YAML all have media types that can be put into an HTTP Content-Type header.
application/xml
applicaiton/json
application/yaml (although IANA has no official designation listed)
Look how many media-types (formerly, MIME types) are defined by IANA.
Look how many HTTP headers there are.
php://input or bust
Using the php://input stream allows you to circumvent the baby-sitting / hand holding level of abstraction that PHP has forced on the world. :-) With great power comes great responsibility!
Now, before you deal with data values streamed through php://input, you should / must do a few things.
Determine if the correct HTTP method has been indicated (GET, POST,
PUT, PATCH, DELETE, ...)
Determine if the HTTP Content-Type header has been transmitted.
Determine if the value for the Content-Type is the desired media
type.
Determine if the data sent is well formed XML / JSON / YAML /
etc.
If necessary, convert the data to a PHP datatype: array or
object.
If any of these basic checks or conversions fails, throw an exception!
What about the character encoding?
AH, HA! Yes, you might want the data stream being sent into your application to be UTF-8 encoded, but how can you know if it is or not?
Two critical problems.
You do not know how much data is coming through php://input.
You do not know for certain the current encoding of the data stream.
Are you going to attempt to handle stream data without knowing how much is there first? That is a terrible idea. You cannot rely exclusively on the HTTP Content-Length header for guidance on the size of streamed input because it can be spoofed.
You are going to need a:
Stream size detection algorithm.
Application defined stream size limits (Apache / Nginx / PHP limits may be too broad).
Are you going to attempt to convert stream data to UTF-8 without knowing the current encoding of the stream? How? The iconv stream filter (iconv stream filter example) seems to want a starting and ending encoding, like this.
'convert.iconv.ISO-8859-1/UTF-8'
Thus, if you are conscientious, you will need:
Stream encoding detection algorithm.
Dynamic / runtime stream filter definition algorithm (because you cannot know the starting encoding a priori).
(Update: 'convert.iconv.UTF-8/UTF-8' will force everything to UTF-8, but you still have to account for characters that the iconv library might not know how to translate. In other words, you have to some how define what action to take when a character cannot be translated: 1) Insert a dummy character, 2) Fail / throw and exception).
You cannot rely exclusively on the HTTP Content-Encoding header, as this might indicate something like compression as in the following. This is not what you want to make a decision off of in regards to iconv.
Content-Encoding: gzip
Therefore, the general steps might be ...
Part I: HTTP Request Related
Determine if the correct HTTP method has been indicated (GET, POST,
PUT, PATCH, DELETE, ...)
Determine if the HTTP Content-Type header has been transmitted.
Determine if the value for the Content-Type is the desired media
type.
Part II: Stream Data Related
Determine the size of the input stream (optional, but recommended).
Determine the encoding of the input stream.
If necessary, convert the input stream to the desired character
encoding (UTF-8).
If necessary, reverse any application level compression or encryption, and then repeat steps 4, 5, and 6.
Part III: Data Type Related
Determine if the data sent is well formed XML / JSON / YMAL /
etc.
(Remember, the data can still be a URL encoded string which you must then parse and URL decode).
If necessary, convert the data to a PHP datatype: array or
object.
Part IV: Data Value Related
Filter input data.
Validate input data.
Now do you see?
The $_POST superglobal, along with php.ini settings for limits on input, are simpler for the layman. However, dealing with character encoding is much more intuitive and efficient when using streams because there is no need to loop through superglobals (or arrays, generally) to check input values for the proper encoding.
php://input can give you the raw bytes of the data. This is useful if the POSTed data is a JSON encoded structure, which is often the case for an AJAX POST request.
Here's a function to do just that:
/**
* Returns the JSON encoded POST data, if any, as an object.
*
* #return Object|null
*/
private function retrieveJsonPostData()
{
// get the raw POST data
$rawData = file_get_contents("php://input");
// this returns null if not valid json
return json_decode($rawData);
}
The $_POST array is more useful when you're handling key-value data from a form, submitted by a traditional POST. This only works if the POSTed data is in a recognised format, usually application/x-www-form-urlencoded (see http://www.w3.org/TR/html4/interact/forms.html#h-17.13.4 for details).
If post data is malformed, $_POST will not contain anything. Yet, php://input will have the malformed string.
For example there is some ajax applications, that do not form correct post key-value sequence for uploading a file, and just dump all the file as post data, without variable names or anything.
$_POST will be empty, $_FILES empty also, and php://input will contain exact file, written as a string.
if (strtoupper($_SERVER['REQUEST_METHOD']) != 'POST') {
throw new Exception('Only POST requests are allowed');
}
// Make sure Content-Type is application/json
$content_type = isset($_SERVER['CONTENT_TYPE']) ? $_SERVER['CONTENT_TYPE'] : '';
if (stripos($content_type, 'application/json') === false) {
throw new Exception('Content-Type must be application/json');
}
// Read the input stream
$body = file_get_contents("php://input");
// Decode the JSON object
$object = json_decode($body, true);
Simple example of how to use it
<?php
if(!isset($_POST) || empty($_POST)) {
?>
<form name="form1" method="post" action="">
<input type="text" name="textfield"><br />
<input type="submit" name="Submit" value="submit">
</form>
<?php
} else {
$example = file_get_contents("php://input");
echo $example; }
?>