I am bit confused about these super global variable ($_POST, $_GET, and $_REQUEST) in PHP. In which scenario do I need to use these variables in PHP, and what are the main differences these three stand for?
$_POST is an associative array of variables passed to the current script via the HTTP POST method when using application/x-www-form-urlencoded or multipart/form-data as the HTTP Content-Type in the request.
You can use when you are sending large data to server or if you have sensitive information like passwords, credit card details etc
$_GET is an associative array of variables passed to the current script via the URL parameters. you can use when there is small amount of data, it is mostly used in pagination, page number is shown in the url and you can easily get the page number from URL using $_GET
$_REQUEST is a 'superglobal' or automatic global, variable. This simply means that it is available in all scopes throughout a script. It is an associative array that by default contains the contents of $_GET, $_POST and $_REQUEST (depending on request_order=)
Difference is:
$_GET retrieves variables from the querystring, or your URL.>
$_POST retrieves variables from a POST method, such as (generally) forms.
$_REQUEST is a merging of $_GET and $_POST where $_POST overrides $_GET.
There are 2 methods to send HTML form data from 1 Page to another or HTML page to server side (In PHP).
POST
It is a method in which data gets sent using packet which is not visible to any user on web-browser. it is secured compared to GET method.
GET
It is a method in which data gets sent with URL which is visible to user in address-bar of any web-browser. So, it’s not secure as POST method.
Now, There are total three super global variables to catch this data in PHP.
$_POST: It can catch the data which is sent using POST method.
$_GET: It can catch the data which is sent using GET method.
$_REQUEST: It can catch the data which is sent using both POST & GET methods.
Also with $_GET superglobal variable can collect data sent in the URL from submit button.
Well, to know better, please visit GET vs. POST:
1) Both $_GET and $_POST create an array e.g. array( key => value, key2 => value2, key3 => value3, ...). This array holds key/value pairs, where keys are the names of the form controls and values are the input data from the user.
2) Both GET and POST are treated as $_GET and $_POST. These are superglobals, which means that they are always accessible, regardless of scope - and you can access them from any function, class or file without having to do anything special.
3) $_GET is an array of variables passed to the current script via the URL parameters.
4) $_POST is an array of variables passed to the current script via the HTTP POST method.
---- whereas $_REQUEST contains $_POST, $_GET and $_COOKIE .
Currently I put a constant on my webpage using PHP which I then send, with Ajax, to my POST function. However, this leaves it susceptible to hacking (the user could change the variable with Firebug), so is there a way to store the variable in the PHP of the page and then access it later on, in the POST method (or is the GET variable of the page still available in the POST function, since that's where I get the variable from)?
I think what you have wanted is to store the post value to use it later.
Here you would need to use $_SESSION
You can do it like
session_start();
// Save variables into session
$_SESSION['thevalue'] = $_POST['value'];
If you wish to store between successive calls from the same user use the follwing:
<?php
session_start();
$_SESSION["your variable/constant"] = yourvaule;
Now use the variable as needed, accessing it as $_SESSION["your variable/constant"]
Hope it helps, and it's what you're asking.
I use RESTFullYii v1.15 from here . RESTFullYii does not get data for PUT request
I faced the problem that making PUT method the data I submit are not inside the doRestUpdate($id, $data) function.
In the link above it is defined as public function doRestUpdate($id, $data).
So it is supposed that data are submit are in $data variable.
Vars $_GET, $_POST, $_REQUEST don't have these data too.
I watch headers of request using firebug and see that data are sent in PUT request, but they are not in doRestUpdate function.
If there is way to fix it?
I call my php file in the browser with "...test.php?text=Hello" but the $_POST variable stays empty (also print_r($_POST) returns array() ).
Why? Do I need to activate the post variable or something?
Thanks.
Variables passed in through the URL end up inside $_GET, not $_POST.
$_POST contains variables parsed by reading the HTTP request body when the method is POST. In this case the method is not POST and there is also no request body.
If you pass the variable through the URL you use $_GET.
Also, you will access the variable with:
$_GET['text']
This is a array that is sent through and you need to specify what item in the array you want to use.
...test.php?text=hello passes data via the GET method (accessible via $_GET in the processing script).
$_POST gets populated by forms or cURL access (when the transfer method is defined as "post")
Which of these code will be faster?
$temp = $_REQUEST['s'];
or
if (isset($_GET['s'])) {
$temp = $_GET['s'];
}
else {
$temp = $_POST['s'];
}
$_REQUEST, by default, contains the contents of $_GET, $_POST and $_COOKIE.
But it's only a default, which depends on variables_order ; and not sure you want to work with cookies.
If I had to choose, I would probably not use $_REQUEST, and I would choose $_GET or $_POST -- depending on what my application should do (i.e. one or the other, but not both) : generally speaking :
You should use $_GET when someone is requesting data from your application.
And you should use $_POST when someone is pushing (inserting or updating ; or deleting) data to your application.
Either way, there will not be much of a difference about performances : the difference will be negligible, compared to what the rest of your script will do.
GET vs. POST
1) Both GET and POST create an array (e.g. array( key => value, key2 => value2, key3 => value3, ...)). This array holds key/value pairs, where keys are the names of the form controls and values are the input data from the user.
2) Both GET and POST are treated as $_GET and $_POST. These are superglobals, which means that they are always accessible, regardless of scope - and you can access them from any function, class or file without having to do anything special.
3) $_GET is an array of variables passed to the current script via the URL parameters.
4) $_POST is an array of variables passed to the current script via the HTTP POST method.
When to use GET?
Information sent from a form with the GET method is visible to everyone (all variable names and values are displayed in the URL). GET also has limits on the amount of information to send. The limitation is about 2000 characters. However, because the variables are displayed in the URL, it is possible to bookmark the page. This can be useful in some cases.
GET may be used for sending non-sensitive data.
Note: GET should NEVER be used for sending passwords or other sensitive information!
When to use POST?
Information sent from a form with the POST method is invisible to others (all names/values are embedded within the body of the HTTP request) and has no limits on the amount of information to send.
Moreover POST supports advanced functionality such as support for multi-part binary input while uploading files to server.
However, because the variables are not displayed in the URL, it is not possible to bookmark the page.
$_GET retrieves variables from the querystring, or your URL.>
$_POST retrieves variables from a POST method, such as (generally) forms.
$_REQUEST is a merging of $_GET and $_POST where $_POST overrides $_GET. Good to use $_REQUEST on self refrential forms for validations.
I'd suggest using $_POST and $_GET explicitly.
Using $_REQUEST should be unnecessary with proper site design anyway, and it comes with some downsides like leaving you open to easier CSRF/XSS attacks and other silliness that comes from storing data in the URL.
The speed difference should be minimal either way.
Use REQUEST. Nobody cares about the speed of such a simple operation, and it's much cleaner code.
Don't worry. But you should still use the second solution (plus an extra check for none of those variables existing), because there are security issues with $_REQUEST (since $_GET and $_POST aren't the only sources for that array).
There was a post about the problems with $_REQUEST yesterday, I believe. Let me go find it.
EDIT: Oh well, not directly a post, but here it is anyway: http://kuza55.blogspot.com/2006/03/request-variable-fixation.html
if (isset($_GET['s'])) {
$temp = $_GET['s'];
}
else {
$temp = $_POST['s'];
}
Use that because it is safer and it won't make noticeable speed difference
$_GET retrieves variables from the querystring, or your URL.>
$_POST retrieves variables from a POST method, such as (generally) forms.
$_REQUEST is a merging of $_GET and $_POST where $_POST overrides $_GET. Good to use $_REQUEST on self refrential forms for validations.
There are certain security concerns involved as a hacker can set a cookie that will override a $_POST or $_GET value. If you handle sensitive data, I would not recommend using $_REQUEST. – Xandor
you can't be used $_GET alternative of $_POST on some case.
When ??
when you want to upload a file.
when you don't won't to show a data in url.
GET also has limits on the amount of information to send. The limitation is about 2000 characters.
Other thing's there are few case when you can't retrieve a data using $_POST
When ?
when data is passed in URL.
For Rest Service
`GET` - Provides a read only access to a resource.
`PUT` - Used to create a new resource.
there is nothing be wrong to use $_REQUEST.
But the way to do that is to check $_SERVER['REQUEST_METHOD'] explicitly, not rely on $_POST being empty for a GET.
I would use the second method as it is more explicit. Otherwise you don't know where the variables are coming from.
Why do you need to check both GET and POST anyway? Surely using one or the other only makes more sense.
I only ever use _GET or _POST. I prefer to have control.
What I don't like about either code fragment in the OP is that they discard the information on which HTTP method was used. And that information is important for input sanitization.
For example, if a script accepts data from a form that's going to be entered into the DB then the form had better use POST (use GET only for idempotent actions). But if the script receives the input data via the GET method then it should (normally) be rejected. For me, such a situation might warrant writing a security violation to the error log since it's a sign somebody is trying something on.
With either code fragment in the OP, this sanitization wouldn't be possible.
I would use $_POST, and $_GET because differently from $_REQUEST their content is not influenced by variables_order.
When to use $_POST and $_GET depends on what kind of operation is being executed. An operation that changes the data handled from the server should be done through a POST request, while the other operations should be done through a GET request. To make an example, an operation that deletes a user account should not be directly executed after the user click on a link, while viewing an image can be done through a link.
I use this,
$request = (count($_REQUEST) > 1)?$_REQUEST:$_GET;
the statement validates if $_REQUEST has more than one parameter (the first parameter in $_REQUEST will be the request uri which can be used when needed,
some PHP packages wont return $_GET so check if its more than 1 go for $_GET, By default, it will be $_POST.
You are prematurely optimizing. Also, you should really put some thought into whether GET should be used for stuff you're POST-ing, for security reasons.
It's ugly and I wouldn't recommended it as a final solution when pushing code live, but while building rest functions, it's sometimes handy to have a 'catch-all' parameter grabber:
public static function parseParams() {
$params = array();
switch($_SERVER['REQUEST_METHOD']) {
case "PUT":
case "DELETE":
parse_str(file_get_contents('php://input'), $params);
$GLOBALS["_{$_SERVER['REQUEST_METHOD']}"] = $params;
break;
case "GET":
$params = $_GET;
break;
case "POST":
$params = $_POST;
break;
default:
$params = $_REQUEST;
break;
}
return $params;
}
Someone creative could probably even add to it to handle command line parameters or whatever comes from your IDE. Once you decide what a given rest-function is doing, you can pick one appropriate for that given call to make sure you get what you need for the deploy version.
This assumes 'REQUEST_METHOD' is set.