Do I Always Need $_GET or $_POST?

@bubbisthedogMay 22.2006

Hello, all.

Whether I use $_GET or $_POST or not, upon submission of my form I can still retrieve a value sent from that form. For instance, if one of my input fields was named ‘a,’ I could see that the value was retrieved using the following PHP:

[code]<?php echo (‘<script type=”text/javascript”>alert(“‘); echo($a); echo (‘”)</script>’);?>[/code]

It doesn’t matter if use HTTP get or post, the value is retrieved. I guess my question is: When would I need to use $_GET or $_POST, and why?

P.S. You’ll notice that I’m not bashful asking very fundamental questions (I’m new to PHP). ? I greatly appreciate any advice that you can provide for me.

bubbis

to post a comment

PHP

17 Comments(s) _↴

@chazzyMay 23.2006 — #1) It's much easier (and cleaner) to rewrite your code as:

[code=php]
 <?php echo ("<script type="text/javascript">alert("".$a.""</script>");?>[/code]

2) The behavior you're describing is when register_globals is turned on. this leads to a security nightmare because for one your forms become much less secure. It also leads to problems with session handling. Typically having that feature is frowned upon.

@NogDogMay 23.2006 — #It's because your web server has register_globals set to "on". This is not the default setting (assuming you're running PHP 4.2.0 or later) and has certain security issues (thus why it's no longer the default setting). Using the $_POST or $_GET value as applicable will allow your script to run on any host, whereas assuming register_globals is on and just using the simple, scalar variable name will mean your script will likely fail on another host, or if your host is upgraded at some point to have register_globals turned off. See http://www.php.net/register_globals for more info.

@bubbisthedogauthorMay 23.2006 — #[b]Chazzy:[/b] Thanks so much for the advice on the cleaner code. I was aware of using the concatenator '.' but did not (I'll get better with that as I go ? ). So then I assume to keep mind to use $_GET or $_POST at all times for security reasons, or am I sort of screwed that my host has the register_globals set to 'on?'

[b]nogdog:[/b] Thanks a lot for telling me why it's important to use $_GET or $_POST if I were to change hosts. That link is very informative as well.

Thank you very much, you all, for responding to my post! Every little bit helps a lot. ?

bubbis

@NogDogMay 23.2006 — #As long as you explicitly reference your various global variables (e.g.: $_POST['name'], $_GET['name'], $_SESSION['name'], etc.) you should be OK.

@bubbisthedogauthorMay 23.2006 — #Thanks, nogdog. And after closer reading of the link that you provided, I'm starting to understand the security issues.

I really appreciate you taking the time to 'show me the ropes.'

bubbis

@chazzyMay 23.2006 — #so long as you don't get lazy you'll be fine.

@bubbisthedogauthorMay 23.2006 — #so long as you don't get lazy you'll be fine.[/QUOTE]
...and I was, it seems. :o

Thanks a lot for taking the time to help me out, chazzy.

bubbis

@bubbisthedogauthorMay 23.2006 — #This is probably more of an HTML question, but, because I want to be able to bookmark pages, I'm using method="get" for now, as well as $_GET in PHP. I use method="post" exclusively at work for in-house apps so that I do not display the parameters in the URL; is it safe to use "get" and $_GET? Or is there some other way to submit form information using method="post" and $_POST and still allow myself to bookmark pages that I find useful?

If this belongs in a separate post, or even another forum, please advise me, and I'll do it (or, of course, the admin can).

Once again, I appreciate any input that you wish to provide.

bubbis

@aaronbdavisMay 23.2006 — #the basic rule of thumb for when to use POST versus GET:

Use GET for data retrieval: When you want to get a particular record from a database, for example, you should use a GET variable for the record.

Use POST when sending data: for example, When sending data in a form to place in a database;

@bubbisthedogauthorMay 23.2006 — #Thank you, aaron, for the advice. I'm assuming that you're referring to the HTTP get and post and not the php $_GET and $_POST.

Of course, no matter if I use method="get" or "post", I can still 'get' my variable using $_GET or $_POST. What's the difference? If I use method="get" and $_POST to get the variable, I get all the qualities (parameters in the URL) as if I'd used $_GET. Is it suppose to be: method="post", then get the variable via $_POST? If that's the way it is, then why can I use $_GET after using method="post"?

Sorry if I'm annoying; I don't try to be. I [b]do[/b] understand when and why to use HTTP "get" and "post", but don't see the difference between using $_GET and $_POST when actually retrieving the data.

What's the advantage, purpose?

Thanks!

bubbis

@NogDogMay 23.2006 — #If you use the get form method, then the value should only be available via $_GET, and $_POST if you use the post method. If it's showing up in both when you only submit it once via one method, then something weird is going on. (Unless you're using the post method in your form and also including a URL query in the form's action attribute?)

@bubbisthedogauthorMay 23.2006 — #Nope. My form action is the page itself (eg, ww.test.com/test.php is the page, and I use method="get" and action="ww.test.com/test.php") and can use $_POST[$variable] to get the value of the variable. So something's screwy? lol

Thanks, nogdog.

bubbis

@NogDogMay 23.2006 — #Try this test. (I just ran it on my PC with register_globals enabled, and only ever got the Post or the Get value, but never both:

[code=php]
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
 <html lang='en'>
 <head>
 <meta http-equiv='Content-Type' content='text/html; charset=ISO-8859-1'>
 <title>Page Title</title>
 <!-- link rel='stylesheet' href='style.css' type='text/css' -->
 <style type="text/css">
 <!--
 
 -->
 </style>
 </head>
 <body>
 <form action="<?php echo $_SERVER['PHP_SELF'] ?>" method="post">
 <fieldset>
 <legend>Post</legend>
 <input type="hidden" name="test" value="post test">
 <input type="submit" value="Submit Post">
 </fieldset>
 </form>
 <form action="<?php echo $_SERVER['PHP_SELF'] ?>" method="get">
 <fieldset>
 <legend>Get</legend>
 <input type="hidden" name="test" value="get test">
 <input type="submit" value="Submit Get">
 </fieldset>
 </form>
 <p><a href="<?php echo $_SERVER['PHP_SELF'] ?>">Neither</a></p>
 <pre>
 <?php
 echo "POST:n";
 print_r($_POST);
 echo "nGET:n";
 print_r($_GET);
 echo "n$test:n";
 echo (isset($test)) ? $test : "" ;
 ?>
 </pre>
 </body>
 </html>
 [/code]

@bubbisthedogauthorMay 23.2006 — #Just so I do not keep you hanging, I'm off to bed for the evening. I'll test it tomorrow and will return the results.

Thank you very much for taking the time to help me,

bubbis

@bubbisthedogauthorMay 25.2006 — #NogDog,

Sorry for the delayed response; I've been spending the past couple of days installing LAMP on my new server. :eek:

I ran your test, and I, too, only had returned [u]either[/u] 'get' or 'post.' But it's odd, because I just ran my code again, using
<form action="<?php echo $_SERVER['PHP_SELF'] ?>" method="get">
along with
$_POST[$i];
and the value is returned when I perform a simple echo of $i.

Thanks to you and aaron, I now completely understand what $_GET and $_POST do (they're arrays containing data sent via either a get or post method, respectively), and now it doesn't make sense to me (even worries me) why this oddity is occurring.

Thank you for your continued info and help! ?

bubbis

@bokehMay 25.2006 — #the value is returned when I perform a simple echo of $i.[/QUOTE]You need to switch register globals off.

@bubbisthedogauthorMay 25.2006 — #Okay, I see what's going on now. Thanks, dokeh.

I can turn register_globals to off on my home server, but can't on my host's (I'm pretty sure?). I'll follow the necessary authentication precautions mentioned at http://www.php.net/register_globals, as supplied earlier by NogDog. I hope that's sufficient.

Thanks again,

bubbis

Also in #PHP _↴

working with dates is this the best way to query?Script efficiency

Success!

Help @bubbisthedog spread the word by sharing this article on Twitter...

Tweet This

Do I Always Need $_GET or $_POST?

17 Comments(s) _↴

Also in #PHP _↴

Success!

Social

Version

Do I Always Need $_GET or $_POST?

17 Comments(s) ↴

Also in #PHP ↴

Success!

The web is an endless sea of information. Don't miss the boat... Subscribe!

Social

Version

17 Comments(s) _↴

Also in #PHP _↴