ansaurus

Question

Answer 1

+1 A:

It is doable, no problem.

There is the $_REQUEST array that merges GET, POST, and COOKIE values but the better way would be to handle GET and POST manually in your script.

Just have your engine check both $_GET["variable"] and $_POST["variable"] and use whichever is set. If a variable is set in both methods, you need to decide which one you want to give precedence.

The only notable difference between the two methods is that a GET parameter has size limitations depending on browser and receiving web server (POST has limitations too, but they are usually in the range of several megabytes). I think the general rule is that a GET string should never exceed 1024 characters.

Pekka 2010-01-10 11:43:56

The $_REQUEST security problem: http://thephpcode.blogspot.com/2008/09/request-security-problem.html

thephpdeveloper 2010-01-10 11:46:34

@Pekka: Thanks :) And where do I add the logic to switch from GET to POST?

gameover 2010-01-10 11:52:29

If you were using $_GET["xyz"] in your script until now, replace it by a variable (say, $xyz) that you fill with either the GET or the POST value somewhere in the beginning of your script.

Pekka 2010-01-10 11:54:18

@Pekka: But what do I use for the form method param? Should I use say JS to see if limit has been exceeded, and if yes..change if from default GET to POST?

gameover 2010-01-10 12:00:51

You would have to use Javascript for that. Check out http://docs.jquery.com/Ajax/serialize to find out the (approximate) size of the form.

Pekka 2010-01-10 12:29:16

I wouldn't say the problem with `$_REQUEST` is security-related. There's nothing an attacker can put in a cookie they can't just as easily (actually way more easily) put in a get parameter. The problem is that if someone accidentally gets themselves a cookie with the same name as a form field it can screw up your forms with no obvious way for the user to fix it.

bobince 2010-01-10 13:30:00

Seconded. It would take really bad programming for somebody to break in through `$_REQUEST`. Still, there are good points against using it.

Pekka 2010-01-10 13:34:34

Answer 2

+1 A:

You could use something like the following:

<?php
function getParam($key)
{    
    switch (true) {
        case isset($_GET[$key]):
            return $_GET[$key];
        case isset($_POST[$key]):
            return $_POST[$key];
        case isset($_COOKIE[$key]):
            return $_COOKIE[$key];
        case isset($_SERVER[$key]):
            return $_SERVER[$key];
        case isset($_ENV[$key]):
            return $_ENV[$key];
        default:
            return null;
    }    
}

hobodave 2010-01-10 11:49:51

Or just $_REQUEST

2010-01-10 12:18:31

You have no control over the merging done by $_REQUEST, and thus it can lead to security issues, see the comment to Pakka's question for a link. It's also a convenience method to tie in $_SERVER and $_ENV, which $_REQUEST doesn't do. This method is employed by the Zend Framework.

hobodave 2010-01-11 01:22:09

Answer 3

+1 A:

Here's how you could use GET and POST in one:

<form action="myfile.php?var1=get1&amp;var2=get2&amp;var3=get3" method="post">

    <input type="hidden" name="var1" value="post1" />
    <input type="hidden" name="var2" value="post2" />

    <input type="submit" />
</form>

The PHP:

print_r($_REQUEST);
// var1 = "post1"
// var2 = "post2"
// var3 = "get3"

print_r($_GET)
// var1 = "get1"
// var2 = "get2"
// var3 = "get3"

print_r($_POST);
// var1 = "post1"
// var2 = "post2"

nickf 2010-01-10 11:57:58

requires `method="post"`

bobince 2010-01-10 13:22:01

thanks, edited.

nickf 2010-01-10 14:14:15

Answer 4

+1 A:

It's also as well to be aware that using GET opens up a temptation among certain sets of users to manipulate the URL to 'see what happens' so it's absolutely necessary to ensure that your code suitably sanitises the input variables.

Of course you were doing that anyway ;-). But with get it pays to be doubly paranoid.

Myself if I'm using GET I'll generally set a cookie too and drop an ID of some sort in it, then cross-correlate that to a variable in the GET list, just to make sure there's absolutely no issues over user A manipulating the input and letting them see anything originating with user B.

Cruachan 2010-01-10 11:59:45

Answer 5

+1 A:

Yes its doable, although (IMHO) the limit at which GET becomes cumbersome is significantly greater than the threshold at which a user interface for providing this much information becomes unusable. Also, the more complex a query you submit to a conventional search engine, the more effectively it can be resolved.

But I'm guessing you have your reasons.

The simplest way, from the information you've provided, to achieve this would be to change the form method at run time from GET to POST using javascript, e.g.

<form method='GET' id='searchform' target='search.php' onsubmit='
  if (document.getElementById("searchdata")) {
    if ((document.getElementById("searchdata").length >$some_threshold) 
         && (document.getElementById("searchform"))) { 
         // 2nd if in case this moved to action for button 
         document.getElementById("searchform").method="POST";
     }
   }
 return true;'>
 <textarea name='searchdata' id='searchdata'>
 </textarea>
 <input type='submit' value='go get it'>
</form>

Which also downgrades nicely for non-javascript clients.

C.

symcbean 2010-01-11 12:35:30

ansaurus

tags:

views:

answers:

Want to use both GET and POST methods.

related questions