11

So, for a while now I've been using the following to check if my post data has been set.

if( ! empty( $_POST ) ) { }

But recently I've been seeing a lot of posts saying that the above is a "hack" and the below is the correct "better" way.

if( $_SERVER[ 'REQUEST_METHOD' ] === 'POST' ) { }

By recently I just mean I've only recently found it. All the posts that are discussing this later method are from 2009'ish. A bit old by coding standards so I figure its ok to get a fresh opinion on this topic.

I've come to understand that the two methods are different. The first is considered a "hack" that just checks if the post array has been set, which will happen if a post request is made. The second actually checks the server to see if a post request has been made. I imagine the second might be a little more secure, but if the information is cleansed anyways I don't see how it makes much of a difference.

I've also seen posts that the later was only used in PHP versions <= 4 because PHP was still using the $_REQUEST global at this point and this was the way PHP coders used to determine the source of certain request paramters. I'm not sure how accurate that last statement is, because the questions being posed in the older posts are the same as mine. They use the post global and not request. However, this is a more recent post than any of the others (2011), and from a source I've come to trust. So I'm not sure what to make of it.

And what to do when checking for get? I've seen a couple of places say that the server request method doesn't seem to work in this instance, and I can only assume that it is because post supercedes get and the request method can only hold one paramter. So if you have both post and get data what do you do? A comment on one of these posts suggests using the request global instead of post and get, but I've been under the impression that is a bad idea.

This is the most recent source I could find, and I did so by looking through the similar questions on the side before submitting. It is specifically asking about using a submit value to check if the form was passed, but it does also mention the request method. A lot of it seems to indicate that the later is still being used commonly. So is this advice still valid? Is checking the request method still the best option?

Community
  • 1
  • 1
mseancole
  • 1,634
  • 4
  • 16
  • 24
  • possible duplicate of [isset($\_POST\['submit'\]) vs $\_SERVER\['REQUEST\_METHOD'\]=='POST'](http://stackoverflow.com/questions/10943060/isset-postsubmit-vs-serverrequest-method-post) – Ja͢ck Aug 22 '13 at 05:17

2 Answers2

10

Yes, it's still there, and it's still 100% reliable. The $_SERVER["REQUEST_METHOD"] var is set by PHP itself, based on the actual request method used by the user's connection. A user can't send in a query paramter or otherwise influence the value of that var, other than by changing the type of request.

Your if(!$_POST) is not reliable, because it IS possible to perform a post but not send any data across it, e.g:

<form method="post">
<input type="submit" />
</form>

will produce just such an empty $_POST array - there are no named form elements in the form, so no data will be sent, yet a POST has still be performed.

I would not worry about PHP4 not having this superglobal. PHP 4 is a stone age version, and code which supports v4 but built on v5 will have to contain so many ugly/disgusting hacks to achieve backwards compatibility that anyone having to work on that code would suffer from nightmares. PHP 4 should be considered dead and gone.

Marc B
  • 340,537
  • 37
  • 382
  • 468
  • So then how would you check for get variables? With request method being post you can't use it again to check for get. Or is it just that get is already unreliable so the best that can be done is ensure the array is not empty? BTW: was not really worried over PHP4, the source of that comment was explaining that as the reason for the request method, which is apparently wrong. – mseancole Jun 12 '12 at 15:21
  • what do you mean, check for get variables? that's why there's `$_GET`, and `$_POST` for post... – Marc B Jun 12 '12 at 15:45
  • maybe a form with a single checkbox would be a more realistic example of when you need to detect a post, but *might* not have any values. – goat Jun 12 '12 at 16:00
  • I mean is there something similar for get. i.e.(`$_SERVER[ 'REQUEST_METHOD' ] === 'GET'`) except that example will not work if there is a post session because it overrides it. Or do I just continue to check if the get array is empty? i.e.(`! empty( $_GET )`) – mseancole Jun 12 '12 at 16:02
  • oh. passing get variables while doing a post? $_GET will be set regardless of the request method if there's query vars in the URL. Just check if whatever get var you want is there,e .g. `if (isset($_GET['queryvar'])) { ... }`. – Marc B Jun 12 '12 at 16:05
  • I guess it depends on whether you care that that request method is POST, or if any data has been POSTed. If no data has been posted, you might prefer to default to the GET behaviour. But if someone is POSTing and nothing has been submitted, most likely you want to let them know :S – Andrew Jan 20 '16 at 19:29
5

I always use the $_SERVER['REQUEST_METHOD']; variable to check the request method.

This variable also says if the request is a 'GET', 'HEAD', 'POST' or 'PUT' request.

http://php.net/manual/en/reserved.variables.server.php

Colin Brock
  • 20,219
  • 9
  • 43
  • 61
Dave_Peachy
  • 508
  • 3
  • 11