Reply to: Easy Peasy PHP Question

Also far too many people use $_REQUEST when they really only want to use a $_POST and open their site up to a whole slew of potential cross site scripting exploits.

IMHO $_REQUEST should only be used in exceptional circumstances.

It annoys me too - just a few months ago I ranted to a colleague for five minutes non-stop after wasting loads of time tracking down an error-that-wasn't-an-error-to-PHP, much to his amusement

It's reasonable enough to have a script that expects both a GET and a POST - the typical case is a form where, on GET, you show the form and, on POST, you validate the input, re-display the form with error messages in the case of problems, and otherwise redirect to the appropriate destination. But a script that should only be accessed by a subset of methods (say GET and HEAD) is safest checking.

Ok, it's a notify rather than an error but that's one of the things that annoys me about PHP - too much inconsistency and 'special' cases. If it were a regular array rather than a '$_' one then you'd get an error - and rightly so.

You're probably right about expecting a specific HTTP method but I have found odd situations where I've needed to cater for both in the same code - although it's probably not best practice to do so. So I've changed my mind re $_REQUEST - it probably just invites security problems.

Nope. Using the default configuration, attempting to access an undefined index in $_GET will return NULL, as shown if you run the following:

For example.com/blah.php, this echoes "thingy is NULL". for example.com/blah.php?thingy=Fred it echoes "thingy is Fred".

You can change the error reporting level so as to show an error in this case (E_NOTICE is the one, I believe, defined as "the script encountered something that could indicate an error, but could also happen in the normal course of running a script") but the default for PHP 4 and PHP 5 is not to notify such an error. It's recommended that the stricter level of error reporting only be used for development, never on a deployed application.

Having said that, it is usually sensible to adopt your approach of using isset() to determine whether the parameter has been passed and react accordingly. Alternatively the script should behave gracefully in the event of having a parameter whose value is NULL.

Personally I'm not much in favour of using $_REQUEST. I tend to be very strict about HTTP methods, so if I have a script that only expects an HTTP GET and somebody tries to do an HTTP POST to it, I'm not going to act as if that's OK: they're probably probing for weaknesses, so they can have a 405 Method Not Allowed for their trouble

What if 'thingy' isn't provided in the HTTP GET request?

You'd get an invalid index error.

$value_of_thingy = (isset($_GET['thingy']) ? $_GET['thingy'] : false);

Also may be better to use $_REQUEST[] rather than $_GET[].

</pedant>

Nice one, ta!

For future reference...

Nick, many thanks! Just what I needed.

DP, it's a fair cop, I admit I was being VERY lazy

Blimey, that's a pretty basic bit of missing knowledge. Why not get a good book on the subject for beginners (tutorial style)?