[lordmerlin]

Hi

This is a more general question, yet I'm sure a lot of people have pondered about this one before.

PHP Code:

$_REQUEST 

according to the PHP manual is a all-in-one solution, where $_GET works with the method="GET" option and $_POST works with method="POST"

Can anyone tell when to use which? When really. Someone has quoted that $_POST is faster, but $_GET allows you to store the URL with the extra strings as a bookmark.

What are your comments?

[darkcarnival]

$_post is used when your form method is post $_get when your form method is get and request works either way. but you really dont need that if you run php 4.x.x all you have to do and make the field name a variable.

like if a field called name can be caled $name in the process form.

[mdhall]

If I use a form, I generally use $_POST in the script recieving the form data, however when I pass a variable thru a link <a href= blah blah?$whatever> I use the $_GET method as this seems to be the only way it will work on my WAMP set up.

[lordmerlin]

And this is the main reason why I asked this question, cause it took me about half an hour to figure out why a certain script would display a variable (using $_POST), when it generates the info, yet, when I click on the link from an email, it didn't. So I ended up changing over to $_REQUEST,this way it works with both $_POST and $_GET

Quote:

Originally Posted by mdhall

If I use a form, I generally use $_POST in the script recieving the form data, however when I pass a variable thru a link <a href= blah blah?$whatever> I use the $_GET method as this seems to be the only way it will work on my WAMP set up.

[ermau]

$_REQUEST is a security issue, as is the before mentioned variables created by post/get information.

The beforementioned variables ONLY work if register_globals are set to on, or if you globalize each variable. This, like $_REQUEST is a security issue for the same reason.

Using straight-variables is more of a security risk. From $_REQUEST anyone can place variables in the query string and have them submit as if from a form, this may not be an issue most of the time but in certain circumstances it can be.

As for the standard variables. Globalizing a variable that is from post or get is a REALLY bad idea, even having register_globals on can be a problem. PHP can, in certain circumstances, mistake post or get variables for any variable and therefore it is possible to submit security allowing variables through the query string or home-made form to get access to private areas.

Please, for your own safety, and the safety of your users, ONLY use $_GET and $_POST.

Lordmerlin: I'd be willing to look at your code to help you figure out why $_POST or $_GET didn't work rather than having you use $_REQUEST.

[lordmerlin]

Hi ermau

$_POST and $_GET works, but not together. I have a form, which accepts a value from another website. But it also needs to do some checking of it's own, so what I'v done is in the textarea's <? echo $name; ?> and in the beginning of the script, I have $name=$_POST['name'];

My page accepts info from another site in the URL, but then the $_POST option doesn't work, and I need to use the $_GET option. The url comes in the form of www.mydomain.com/application_form.php?domainname=new.mydomain.com
But looking at your post, this is probably a security issue. The page does a lot of things, so I'm just going include a few snippets of code, that has todo with this particular issue.

I only use $_REQUEST for this one variable thought, the others on the page use $_POST

PHP Code:

<?
 
$firstname = stripslashes($_POST[firstname]);
$lastname = stripslashes($_POST[lastname]);
$realname = $firstname . $lastname;
$domainname = stripslashes($_REQUEST[domainname]);
$company= stripslashes($_POST[company]);
$email= stripslashes($_POST[email]);
?>
                  <TABLE WIDTH="100%" BORDER="0" CELLPADDING="0" CELLSPACING="0" DWCOPYTYPE="CopyTableRow">
     <FORM NAME="apply" METHOD="post" ACTION="index.php?page=application_form">
                            <TR ALIGN="left" VALIGN="middle"> 
                              <TD BGCOLOR="#EFEFEF"><B>Company Name:<FONT COLOR="#CC0000">*</FONT></B></TD>
                              <TD BGCOLOR="#FFFFFF"><INPUT NAME="company" TYPE="text" CLASS="formElement" ID="company" VALUE="<? print $company ?>" SIZE="25"> 
                              </TD>
                            </TR>
                            <TR ALIGN="left" VALIGN="middle"> 
                              <TD BGCOLOR="#FFFFFF"><B>Domain Name:<FONT COLOR="#CC0000">*</FONT></B></TD>
                              <TD BGCOLOR="#EFEFEF">www. 
        <INPUT NAME="domainname" TYPE="text" CLASS="formElement" ID="domainname" SIZE="25"  onKeyPress="return handleEnter(this, event)"VALUE=<? print $domainname; ?>></TD>
                            </TR>
                            <TR ALIGN="left" VALIGN="middle"> 
                              <TD BGCOLOR="#FFFFFF"><B>Your Name:<FONT COLOR="#CC0000">*<FONT COLOR="#999999" CLASS="documenttext"> 
                                </FONT></FONT></B><FONT COLOR="#CC0000"><FONT COLOR="#999999" CLASS="documenttext">(First 
                                | Last)</FONT></FONT></TD>
                              <TD BGCOLOR="#EFEFEF"> <INPUT NAME="firstname" TYPE="text" CLASS="formElement" ID="firstname" VALUE="<? print $firstname; ?>" SIZE="20" onKeyPress="return handleEnter(this, event)"> 
                                <INPUT NAME="lastname" TYPE="text" CLASS="formElement" ID="lastname5" VALUE="<? print $lastname; ?>" SIZE="20" onKeyPress="return handleEnter(this, event)"> 
                              </TD>
                            </TR>
                            <TR ALIGN="left" VALIGN="middle"> 
                              <TD BGCOLOR="#EFEFEF"><B>E-Mail:<FONT COLOR="#CC0000">*</FONT></B></TD>
                              <TD BGCOLOR="#FFFFFF"> <INPUT NAME="email" TYPE="text" CLASS="formElement" ID="domainname2" VALUE="<? print $email ?>" SIZE="25" onKeyPress="return handleEnter(this, event)"> 
                              </TD>
                            </TR>
                    </FORM>
                  </TABLE>

And then from there on, one all the fields are filled in, I use the data to do some checks on on certain conditions perform certain tasks. But this is the basic outlay

[ermau]

So replacing that $_REQUEST with $_GET does NOT work? Interesting, I don't see any problems with that...

As far as it being a security issue, does the page give access to any administator only options or anything like that? If not it shouldn't really be a security issue, its in certain cases that such problems arrise. The rest of the code has no problem.

One note, I would avoid using <? and instead use the full <?php, using <? is a server-side option and not all servers have it enabled (for future reference .)