dangercrow Posted January 17, 2010 Share Posted January 17, 2010 Ok, basically I'm learning PHP, and I was wondering, other than for bookmarking purposes, is there any reason for using method="get"?Also, is there any point in using <?php echo $_GET["whatever"]; ?> or even <?php echo $_POST["whatever"]; ?> if <?php echo $_REQUEST["whatever"]; ?> works just as well, and with more compatibility with forms?Finally, can anyone explain how $_REQUEST actually works with $_GET, $_POST, and $_COOKIE all together? As the guide doesn't really explain fully...Thanks in advance,Dangercrow Link to comment Share on other sites More sharing options...
boen_robot Posted January 17, 2010 Share Posted January 17, 2010 Any other reason for using $_GET... sharing. Say you want to let a friend see whatever you're seeing. If a page is constructed from $_POST data, you can't. If it's from $_GET, it could.Also, statics. Most statistical software doesn't keep track of $_POST data. They do however have the option to keep the $_GET data.As for using $_REQUEST instead of $_GET, $_POST or $_COOKIE... in most cases, there isn't a reason not to use it on your own site. If you're making apps for others though, you should not use $_REQUEST to keep the app independant from PHP settings. What PHP settings you ask? The one answering your next question.Arrays in PHP have unique keys. So, if for example, both $_GET and $_POST contain a certain key, PHP needs a way to prefer one over the other within the $_REQUEST array. There's a setting in php.ini for this, called "gpc_order". It's default value - "GPC", says that first $_GET variables are processed, then $_POST variables (and therefore, conflicting keys from $_GET will now have the $_POST values), then $_COOKIE variables (and therefore, keys that conflict with the "GP" merge will now have the $_COOKIE values). Link to comment Share on other sites More sharing options...
Mencarta Posted January 17, 2010 Share Posted January 17, 2010 Actually $_REQUEST does either $_POST or $_GET depending on which was used. If you have a login form with the input fields: username and password, and you are using $_REQUEST I could type this into my browser: http://www.yoursite.com/login.php?username...;password=Admin. If the username and password is correct I will be logged in. $_POST is basically used for security reasons. Link to comment Share on other sites More sharing options...
justsomeguy Posted January 17, 2010 Share Posted January 17, 2010 $_REQUEST covers $_GET, $_POST, and $_COOKIE, in the order defined on the server, like boen described. Link to comment Share on other sites More sharing options...
dangercrow Posted January 17, 2010 Author Share Posted January 17, 2010 K thanks for that guys, I see now Link to comment Share on other sites More sharing options...
boen_robot Posted January 17, 2010 Share Posted January 17, 2010 Actually $_REQUEST does either $_POST or $_GET depending on which was used. If you have a login form with the input fields: username and password, and you are using $_REQUEST I could type this into my browser: http://www.yoursite.com/login.php?username...;password=Admin. If the username and password is correct I will be logged in. $_POST is basically used for security reasons.Hmmm... hadn't thought about that one... I suppose you have a point in that using $_REQUEST makes it easier to try and crack a login form. Using $_POST doesn't prevent crackers in any way though (I suppose you know that, but I'm telling it for the sake of anyone else reading this). It only forces them to use an additional tool (say, Fiddler, or the cURL library) to forge an HTTP request. Anyone who really wants to crack a login form can still try to. Link to comment Share on other sites More sharing options...
jeffman Posted January 17, 2010 Share Posted January 17, 2010 POST only adds security in open or shared client environments. Someone looking over your shoulder can see a query string in your URL bar and learn your password. Bad news. Likewise, if someone sits down and looks at your history, they can see an old query.Buut POST adds no security on the server side.Way back when, URL + query string was limited to a small number of characters. So GET was reserved for requests, and POST was used for uploading larger chunks of data, like the text from a textarea.Then there is the semantic element. GET means request. POST means upload. Call me traditional, but I think we should stick with that.Responses to GET requests are generally cached. This is a big difference, and probably the most important. When the same request returns the same data every time, it is more efficient to use GET.I'm always a little surprised when I see tutorials that defeat this functionality by adding random characters to the query string. This is useful for debugging, of course. But a strange thing to build into a release version. Why not use POST?True, encodeURIComponent() adds a tiny layer of complexity. But that's not a good enough reason, IMO. And it's only an AJAX thing, anyway. A regular form doesn't need that. Link to comment Share on other sites More sharing options...
Mencarta Posted January 17, 2010 Share Posted January 17, 2010 Hmmm... hadn't thought about that one... I suppose you have a point in that using $_REQUEST makes it easier to try and crack a login form. Using $_POST doesn't prevent crackers in any way though (I suppose you know that, but I'm telling it for the sake of anyone else reading this). It only forces them to use an additional tool (say, Fiddler, or the cURL library) to forge an HTTP request. Anyone who really wants to crack a login form can still try to.Like Deirdre's Dad said,Someone looking over your shoulder can see a query string in your URL bar and learn your password. Bad news. Likewise, if someone sits down and looks at your history, they can see an old query. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.