What is the meaning of "a POST request also has $_GET parameters" - php

Hi i am looking at differences between $_GET and $_POST methods , i came across some articles that says
A POST request also has $_GET parameters
So a POST request is a superset of a GET request; you can use $_GET in a POST request, and it may even make sense to have
parameters with the same name in $_POST and $_GET that mean different
things.
When should I use GET or POST method? What's the difference between them?
http://www.sitepoint.com/on-get-and-post/
And there is an example also
For example, let's say you have a form for editing an article. The
article-id may be in the query string (and, so, available through
$_GET['id']), but let's say that you want to change the article-id.
The new id may then be present in the request body ($_POST['id']).
so how can we use $_GET['id'] and $_POST['id'] at the same time , confusing .
Please explain this with a simple example . so everyone including me , who does not understand this can understand well .
Thank you in advance :)

I'll explain to you by using an example:
<form method='post' action='edit-article.php?article_id=3'>
<label for='article_name'>Article name:</label>
<input type='text' name='article_name' value='' />
<input type='submit' name='edit' value='Change article name' />
</form>
When you press submit you will be redirected to edit-article.php?article_id=3
Here you will have the following variables set:
$_GET['article_id'] (from url), $_POST['article_name'](from form) and $_POST['edit'] (the submit button, also via form)

Perhaps the simplest way to understand this is that $_GET is simply badly named. All it actually represents is the values of "query string" parameters parsed from the part of a URL after a ?. Since every request has a URL, whatever type it is, any request can populate $_GET.
$_POST, on the other hand, is populated only for POST requests, and even then only those whose request body is in a particular format.
When you use method=get in HTML, the browser just creates a URL based on the form data, and asks for that URL with a GET request the same as you typing it into the address bar. With method=post, the form data is sent separately from the URL, but the URL might still contain a ? and a query string.

Think of it like this. You have two completely different arrays:
$A = array();
$B = array();
Now you can write this piece of code:
$A['id'] = 8;
$B['id'] = 5;
The above code is completely valid. These are different arrays, they just happen to have the same keys with different values assigned to them.
$_GET and $_POST are different variables. Everything you write into the url query will show up in the $_GET variable, evrerything you send via POST will end up in $_POST. So you can set the same key in the URL query and in the POST data.
However, $_REQUEST holds the data of $_GET, $_POST and $_COOKIE. If you have the same keys in $_POST and $_GET we can assume, that $_REQUEST will hold only one of the values. I actually do not know, which value will be saved in $_REQUEST and I hope someone else knows the answer to that, because I am very curious about that.

Related

Form with POST method returns $_REQUEST but $_POST is empty

Using PHP7.x, I have a simple form
<form method='post' action=''>
<input type='text' name ='yourname'>
<input type='submit' name = 'submitted' value = 'here'>
</form>
The submit button works fine. Looking at the POST with developer tools, I see the values of the input fields submitted. So the POST parameters in the Developer tools window show the entered value.
But if my processing page (the 'action' page) contains this code
echo $_POST['yourname'];
The output is null. This statement
echo $_REQUEST['yourname'] shows the entered value.
Why doesn't $_POST['yourname'] show a value?
And, I sanitize all form data with this command
$_POST = filter_input_array(INPUT_POST, FILTER_SANITIZE_STRING);
I can change my code to use the $_REQUEST['yourname'], but why doesn't $_POST['yourname'] show data? And, will my filter_input_array() 'clean' the resultant $_REQUEST values?
Added
Made the correction to the code (I put the 'action' in the wrong statement in my sample code; the code was not the actual used. Actual code had the 'action' parameter in the proper location. Sample code was a generic sample, as I have seen this problem in many areas of code using 'forms'.
But don't understand the 'close'. This is a programming area (to my understanding), and this is a programming question: "Why does a POST not populate the $_POST array on submit".
And, the secondary question "Does the filter_input_array 'clean' the variables placed in $_REQUEST ?" was not answered. (Maybe that should have been a separate question.)
But disappointed and unclear as to why this is not an appropriate question for this stack. (And yes, I read the 'rules'.)
If you are still unable to access $_POST variables after correcting the html, there is another possible cause.
variables_order directive
There is a directive in the php.ini configuration file that determines which of the superglobal variables are used, and in what order.
From the manual:
variables_order string
Sets the order of the EGPCS (Environment, Get, Post, Cookie, and Server) variable parsing. For example, if variables_order is set to "SP" then PHP will create the superglobals $_SERVER and $_POST, but not create $_ENV, $_GET, and $_COOKIE. Setting to "" means no superglobals will be set.
request_order directive
Furthermore, $_REQUEST has its own directive, which appears to supercede the variables_order directive:
request_order string
This directive describes the order in which PHP registers GET, POST and Cookie variables into the _REQUEST array. Registration is done from left to right, newer values override older values.
If this directive is not set, variables_order is used for $_REQUEST contents.
Finding php.ini
From the manual
<?php
$inipath = php_ini_loaded_file();
if ($inipath) {
    echo 'Loaded php.ini: ' . $inipath;
} else {
echo 'A php.ini file is not loaded';
}
?>
First off,
The HTML looks a little off..
The action attribute is not a valid attribute for input.
The submit button has spaces in them
There is not action declared on the form, most browsers will post it to the referring page but not all.
If i fix up the code like this i have good output:
<?php // this file is test.php
if (sizeof($_POST))
var_dump($_POST);
?>
<form method='post' action='test.php'>
<input type='text' name ='yourname'>
<input type='submit' name='submitted' value='here'>
</form>
I get the expected response:
array(2) { ["yourname"]=> string(4) "test" ["submitted"]=> string(4) "here" }
I did some further testing on this, trying to simplify the code and duplicate the problem. The code is on a site that has various 'includes'. So I took my simple code (just a form and then print_r of the $_GET/POST/REQUESTs) to help duplicate the problem.
My includes include these statements to sanitize all inputs:
$_POST = filter_input_array(INPUT_GET, FILTER_SANITIZE_STRING);
$_GET = filter_input_array(INPUT_POST, FILTER_SANITIZE_STRING);
Looks OK, doesn't it? Standard sanitize of the $_GET and $_POST variables. Nothing to see here. Move along.
But look more closely. I've used these statements in my code lots of times. Kept going. But it should be this:
$_POST = filter_input_array(INPUT_POST, FILTER_SANITIZE_STRING);
$_GET = filter_input_array(INPUT_GET, FILTER_SANITIZE_STRING);
Note that the first block is filtering the GET into POST, and the POST into GET. Dyslexic code!
I call that a "SAF" error - "Smack Against Forehead". Or "LCG" - "Look Closely, Grasshopper".
<sigh> Thanks for the help.

What's the difference between $_POST, $_GET, and $_REQUEST?

I am bit confused about these super global variable ($_POST, $_GET, and $_REQUEST) in PHP. In which scenario do I need to use these variables in PHP, and what are the main differences these three stand for?
$_POST is an associative array of variables passed to the current script via the HTTP POST method when using application/x-www-form-urlencoded or multipart/form-data as the HTTP Content-Type in the request.
You can use when you are sending large data to server or if you have sensitive information like passwords, credit card details etc
$_GET is an associative array of variables passed to the current script via the URL parameters. you can use when there is small amount of data, it is mostly used in pagination, page number is shown in the url and you can easily get the page number from URL using $_GET
$_REQUEST is a 'superglobal' or automatic global, variable. This simply means that it is available in all scopes throughout a script. It is an associative array that by default contains the contents of $_GET, $_POST and $_REQUEST (depending on request_order=)
Difference is:
$_GET retrieves variables from the querystring, or your URL.>
$_POST retrieves variables from a POST method, such as (generally) forms.
$_REQUEST is a merging of $_GET and $_POST where $_POST overrides $_GET.
There are 2 methods to send HTML form data from 1 Page to another or HTML page to server side (In PHP).
POST
It is a method in which data gets sent using packet which is not visible to any user on web-browser. it is secured compared to GET method.
GET
It is a method in which data gets sent with URL which is visible to user in address-bar of any web-browser. So, it’s not secure as POST method.
Now, There are total three super global variables to catch this data in PHP.
$_POST: It can catch the data which is sent using POST method.
$_GET: It can catch the data which is sent using GET method.
$_REQUEST: It can catch the data which is sent using both POST & GET methods.
Also with $_GET superglobal variable can collect data sent in the URL from submit button.
Well, to know better, please visit GET vs. POST:
1) Both $_GET and $_POST create an array e.g. array( key => value, key2 => value2, key3 => value3, ...). This array holds key/value pairs, where keys are the names of the form controls and values are the input data from the user.
2) Both GET and POST are treated as $_GET and $_POST. These are superglobals, which means that they are always accessible, regardless of scope - and you can access them from any function, class or file without having to do anything special.
3) $_GET is an array of variables passed to the current script via the URL parameters.
4) $_POST is an array of variables passed to the current script via the HTTP POST method.
---- whereas $_REQUEST contains $_POST, $_GET and $_COOKIE .

loop through $POST to make $SESSION equivalent

Would this be the correct way to loop through the $POST data sent by an API and have a equivalent $SESSION name/value pair be created from it?
foreach($_POST as $key=>$value)
{ $_SESSION['$key']=$value; }
UPDATE: First, thanks for the solid responses - I think I need to explain the problem I'm trying to overcome and why this functionality is being considered. The $_POST response is coming from a payment processor gateway - the problem is that since the payment form/processing is not on our domain the results of the payment (approved/declined etc. etc.) is being RELAYED to our server via $POST - When our PHP code tries to process the response data it looks for various PHP structures (Like php include 'file.php') under there domain instead of ours and errors out - I need to move the $POST data into a session and then move the person back to our domain so that the file/directory/resource tree is correct. Does this make sense what im encountering?
Don't use single quotes:
foreach ($_POST as $key => $value) {
$_SESSION[$key] = $value;
}
I'd encourage you to read about Strings in PHP.
Note: This is potentially unsafe for several reasons - mostly injection by key collision. Consider if I posted the logged in user id.
This could be mitigated through encapsulation:
$_SESSION['posted_data'] = $_POST;
Don't you rather want to keep them separated?
$_SESSION['response'] = $_POST;
If you really want to do it as you state, you could use something like
$_SESSION=array_merge($_SESSION,$_POST);
which would work but be a "bad thing" - plenty of scope to overwrite items already in the $_SESSION variable:
index.php:
<form action="2.php" method="post">
<input type="text" name="hidden" value="hidden">
<button type="submit">Click</button>
</form>
2.php:
<?php
session_start();
session_unset();
$_SESSION['hidden']="existing";
$_SESSION=array_merge($_SESSION,$_POST);
echo '<pre>'.print_r($_SESSION,true).'</pre>';
Better would be to use
$_SESSION['POST']=$_POST;
Obviously, perform any data checks you need to before doing this though
Ignoring the security issues this could cause depending on how you use it, what you could do is use:
$_SESSION = array_merge($_POST, $_SESSION);
This will only bring in POST vars which have a key not already found in $_SESSION. Switch them around if you want the POST vars to take precedence of course.
Just a quick note on security, if like a lot of people you use the session to store user id, what would happen if i sent a POST request to your script with userid=1?
All im saying is, be careful what you are doing with this. You'd be better off if possible doing as suggested and using a unique key in $_SESSION for post vars such as $_SESSION['post_vars'] = $_POST (or maybe ['form_data'] if you're using it to persist form data, which is usually why people do this).
You could also use the array union operator:
$_SESSION = $_POST + $_SESSION;
This takes the values of $_POST and adds those values of $_SESSION whose keys are not already present in $_POST.
Since the POST is made by a payment gateway, the session will be associated with it (and most likely be lost at first request, since it can be assumed that it won't ever bother reading the session cookie).
Your client won't ever see this data in their session.
If you want to have this data available, you need to persist it somehow, if the payment gateway gives you exploitable client information. Possible solution are a database, key/value store...
Alternatively, it is common that the payment gateway will allow you to specify a link to redirect the client's browser to after the purchase. Getting the parameters from the POST, you could append them to the redirect URL to pass them back to your website as GET parameters.

How do I use php?=

I'm kind of a noob at this stuff.
But I've been browsing around and I see sites that are kind alike this
www.store.com/product.php?id=123
this is really cool. but How do I do it?
Im stuck using something like this
www.store.com/product/product123.php
If you could tell me how I can go about do this it would be awesome!
What you're looking at is a $_GET argument.
In your PHP code, try writing something like this:
$value = $_GET['foo'];
Then open your page like this:
hello.php?foo=123
This will set $value to 123.
You need to use the $_GET here.
if you use the following:
?id=123
then this will be how to use it and the result
$_GET['id'] (returns the 123)
You can use as many $_GET arguments as you need, for example:
?id=123&foo=bar&type=product
$_GET is an array of what parameters are in the url, so you use it the same way as an array.
Create a file called product.php with this code:
<?php
echo "The argument you passed was: " . $_GET['id'];
?>
Now run this URL in your browser:
http://<yourdomain>/product.php?id=123
and you will understand how $_GET works.
Those are called URL parameters (what they're contained in is called a query string), and they're not unique to PHP but can be accessed in PHP using the $_GET superglobal.
Similarly, you can get POST parameters using the $_POST superglobal, though in POST requests, these parameters are not appended to the URL.
Note: Generally, for usability purposes (and thus also SEO purposes), you want to avoid using query strings as much as possible. These days, the standard practice is to use URL rewriting to display friendly URLs to the user. So your application might accept a URL like:
/products.php?id=32
But the user only sees:
/product/32
You can do this by using mod_rewrite or similar URL rewriting capabilities to turn the friendly URL into the former query string URL internally, without having the user type out the query string.
You might want to have a look at the documentation at www.php.net, especially these pages: http://www.php.net/manual/en/reserved.variables.php
Specifically, have a look at $_GET and $_POST, which are two frequently used ways to transmit information from a browser to the server. (In short, GET-parameters are specified in the URL, as in your question, while POST-parameters are "hidden from view", but can contain more data - typically the contents of forms etc, such as the textbox you posted your question in).

Among $_REQUEST, $_GET and $_POST which one is the fastest?

Which of these code will be faster?
$temp = $_REQUEST['s'];
or
if (isset($_GET['s'])) {
$temp = $_GET['s'];
}
else {
$temp = $_POST['s'];
}
$_REQUEST, by default, contains the contents of $_GET, $_POST and $_COOKIE.
But it's only a default, which depends on variables_order ; and not sure you want to work with cookies.
If I had to choose, I would probably not use $_REQUEST, and I would choose $_GET or $_POST -- depending on what my application should do (i.e. one or the other, but not both) : generally speaking :
You should use $_GET when someone is requesting data from your application.
And you should use $_POST when someone is pushing (inserting or updating ; or deleting) data to your application.
Either way, there will not be much of a difference about performances : the difference will be negligible, compared to what the rest of your script will do.
GET vs. POST
1) Both GET and POST create an array (e.g. array( key => value, key2 => value2, key3 => value3, ...)). This array holds key/value pairs, where keys are the names of the form controls and values are the input data from the user.
2) Both GET and POST are treated as $_GET and $_POST. These are superglobals, which means that they are always accessible, regardless of scope - and you can access them from any function, class or file without having to do anything special.
3) $_GET is an array of variables passed to the current script via the URL parameters.
4) $_POST is an array of variables passed to the current script via the HTTP POST method.
When to use GET?
Information sent from a form with the GET method is visible to everyone (all variable names and values are displayed in the URL). GET also has limits on the amount of information to send. The limitation is about 2000 characters. However, because the variables are displayed in the URL, it is possible to bookmark the page. This can be useful in some cases.
GET may be used for sending non-sensitive data.
Note: GET should NEVER be used for sending passwords or other sensitive information!
When to use POST?
Information sent from a form with the POST method is invisible to others (all names/values are embedded within the body of the HTTP request) and has no limits on the amount of information to send.
Moreover POST supports advanced functionality such as support for multi-part binary input while uploading files to server.
However, because the variables are not displayed in the URL, it is not possible to bookmark the page.
$_GET retrieves variables from the querystring, or your URL.>
$_POST retrieves variables from a POST method, such as (generally) forms.
$_REQUEST is a merging of $_GET and $_POST where $_POST overrides $_GET. Good to use $_REQUEST on self refrential forms for validations.
I'd suggest using $_POST and $_GET explicitly.
Using $_REQUEST should be unnecessary with proper site design anyway, and it comes with some downsides like leaving you open to easier CSRF/XSS attacks and other silliness that comes from storing data in the URL.
The speed difference should be minimal either way.
Use REQUEST. Nobody cares about the speed of such a simple operation, and it's much cleaner code.
Don't worry. But you should still use the second solution (plus an extra check for none of those variables existing), because there are security issues with $_REQUEST (since $_GET and $_POST aren't the only sources for that array).
There was a post about the problems with $_REQUEST yesterday, I believe. Let me go find it.
EDIT: Oh well, not directly a post, but here it is anyway: http://kuza55.blogspot.com/2006/03/request-variable-fixation.html
if (isset($_GET['s'])) {
$temp = $_GET['s'];
}
else {
$temp = $_POST['s'];
}
Use that because it is safer and it won't make noticeable speed difference
$_GET retrieves variables from the querystring, or your URL.>
$_POST retrieves variables from a POST method, such as (generally) forms.
$_REQUEST is a merging of $_GET and $_POST where $_POST overrides $_GET. Good to use $_REQUEST on self refrential forms for validations.
There are certain security concerns involved as a hacker can set a cookie that will override a $_POST or $_GET value. If you handle sensitive data, I would not recommend using $_REQUEST. – Xandor
you can't be used $_GET alternative of $_POST on some case.
When ??
when you want to upload a file.
when you don't won't to show a data in url.
GET also has limits on the amount of information to send. The limitation is about 2000 characters.
Other thing's there are few case when you can't retrieve a data using $_POST
When ?
when data is passed in URL.
For Rest Service
`GET` - Provides a read only access to a resource.
`PUT` - Used to create a new resource.
there is nothing be wrong to use $_REQUEST.
But the way to do that is to check $_SERVER['REQUEST_METHOD'] explicitly, not rely on $_POST being empty for a GET.
I would use the second method as it is more explicit. Otherwise you don't know where the variables are coming from.
Why do you need to check both GET and POST anyway? Surely using one or the other only makes more sense.
I only ever use _GET or _POST. I prefer to have control.
What I don't like about either code fragment in the OP is that they discard the information on which HTTP method was used. And that information is important for input sanitization.
For example, if a script accepts data from a form that's going to be entered into the DB then the form had better use POST (use GET only for idempotent actions). But if the script receives the input data via the GET method then it should (normally) be rejected. For me, such a situation might warrant writing a security violation to the error log since it's a sign somebody is trying something on.
With either code fragment in the OP, this sanitization wouldn't be possible.
I would use $_POST, and $_GET because differently from $_REQUEST their content is not influenced by variables_order.
When to use $_POST and $_GET depends on what kind of operation is being executed. An operation that changes the data handled from the server should be done through a POST request, while the other operations should be done through a GET request. To make an example, an operation that deletes a user account should not be directly executed after the user click on a link, while viewing an image can be done through a link.
I use this,
$request = (count($_REQUEST) > 1)?$_REQUEST:$_GET;
the statement validates if $_REQUEST has more than one parameter (the first parameter in $_REQUEST will be the request uri which can be used when needed,
some PHP packages wont return $_GET so check if its more than 1 go for $_GET, By default, it will be $_POST.
You are prematurely optimizing. Also, you should really put some thought into whether GET should be used for stuff you're POST-ing, for security reasons.
It's ugly and I wouldn't recommended it as a final solution when pushing code live, but while building rest functions, it's sometimes handy to have a 'catch-all' parameter grabber:
public static function parseParams() {
$params = array();
switch($_SERVER['REQUEST_METHOD']) {
case "PUT":
case "DELETE":
parse_str(file_get_contents('php://input'), $params);
$GLOBALS["_{$_SERVER['REQUEST_METHOD']}"] = $params;
break;
case "GET":
$params = $_GET;
break;
case "POST":
$params = $_POST;
break;
default:
$params = $_REQUEST;
break;
}
return $params;
}
Someone creative could probably even add to it to handle command line parameters or whatever comes from your IDE. Once you decide what a given rest-function is doing, you can pick one appropriate for that given call to make sure you get what you need for the deploy version.
This assumes 'REQUEST_METHOD' is set.

Categories