Question in the title.
And what happens when all 3 of $_GET[foo], $_POST[foo] and $_COOKIE[foo] exist? Which one of them gets included to $_REQUEST?
views:
851answers:
6
+1
A:
When you're not certain where the values are populated or when you use them both and want to loop over all values by both POST and GET methods.
Sietse
2008-09-20 09:05:16
+6
A:
Sometimes you might want the same script to be called with several different ways. A form submit and an AJAX call comes to mind. In most cases, however, it´s better to be explicit.
Also, see http://docs.php.net/manual/en/ini.core.php#ini.request-order on how the different sources of variables overwrite each other if there is a name collision.
Internet Friend
2008-09-20 09:08:31
+1
A:
$_REQUEST is only a shortcut to prevent you from testing post, get and cooking if the data can come from any of these.
There are some pitfalls :
- data are taken from GET, POST and finally COOKIE . The last override the first, so be careful with that.
- REST architectures require to separate the POST and GET semantics, you can't rely on $_REQUEST in that case.
Nevertheless, if you know what you're doing, then it's just another handy PHP trick.
I'd use it if I wanted to quickly update a var that may come from several sources. E.G :
- In your controller, to decide what page to serve without checking if the request come from a form action or a hypertext link.
To check if a session is still active regardless of the way session id are transmitted.
e-satis
2008-09-20 09:29:40
+24
A:
I'd say never.
If I wanted something to be set via the various methods, I'd code for each of them to remind myself that I'd done it that way - otherwise you might end up with things being overwritten without realising.
Shouldn't it work like this:
$_GET = non destructive actions (sorting, recording actions, queries)
$_POST = destructive actions (deleting, updating)
$_COOKIE = trivial settings (stylesheet preferences etc)
$_SESSION = non trivial settings (username, logged in?, access levels)
Rich Bradshaw
2008-09-20 09:34:24
Excellent point on the GET versus POST methods, they are meant for different purposes. Few web applications work that way these days, however...
Internet Friend
2008-09-20 09:38:02
I always thought the idea was that if you use get for deleting things, then bots could crawl those links and hence delete everything in the database... Sounded like a horror story, so I've always stuck to the schema above.
Rich Bradshaw
2008-09-20 09:40:47
We're just struggling with this at my work. Our product is a CMS system which does *not* adhere to the rule above. We'd like to provide Google Mini appliances www.google.com/enterprise/mini/ to our clients, but it's impossible to let it crawl a CMS extranet because all hell would break loose :/
Internet Friend
2008-09-20 09:47:40
That's frustrating... It's good to think about this sort of thing before starting really!You could try rel="nofollow" on all the get links, then gradually remove ones that you know are safe - of course that's still a bit scary, not sure how strict Google is with nofollow.
Rich Bradshaw
2008-09-20 10:51:00
It does respect nofollow, and it's possible to protect against it with many other means, of course. But it's still a lot of unneccessary work that could have been avoided by better design decisions in the first place.
Internet Friend
2008-09-20 11:37:40
A:
I use POST when I don't want people to have easy access to what is being passed and I use GET when I don't mind them seeing the value in the url. I generally don't use cookies for much as I find SESSION to be fine for persisting values (although having a proper registry is the best way to utilize that).
gaoshan88
2008-09-20 15:50:23
+1
A:
To answer the "what happens when all 3 exist" question, the answer is "it depends."
PHP auto-fills $_REQUEST based on the request_order directive (or variables_order if request_order is absent) in PHP.INI. The default is usually "GPC" which means GET is loaded first, then POST is loaded (overwriting GET if there is a collision), then cookies are loaded (overwriting get/post if there is a collision). However, you can change this directive in the PHP.INI file. For example, changing it to "CPG" makes cookies load first, then post, then get.
As far as when to use it? I'll echo the sentiment of "Never." You already don't trust the user, so why give the user more tools? As the developer, you should know where you expect the data to come from. It's all about reducing your attack surface area.
Nathan Strong
2008-09-21 02:30:58