mseancole mseancole - 5 months ago 14
PHP Question

Is $_SERVER['REQUEST_METHOD'] still viable?

So, for a while now I've been using the following to check if my post data has been set.

if( ! empty( $_POST ) ) { }

But recently I've been seeing a lot of posts saying that the above is a "hack" and the below is the correct "better" way.

if( $_SERVER[ 'REQUEST_METHOD' ] === 'POST' ) { }

By recently I just mean I've only recently found it. All the posts that are discussing this later method are from 2009'ish. A bit old by coding standards so I figure its ok to get a fresh opinion on this topic.

I've come to understand that the two methods are different. The first is considered a "hack" that just checks if the post array has been set, which will happen if a post request is made. The second actually checks the server to see if a post request has been made. I imagine the second might be a little more secure, but if the information is cleansed anyways I don't see how it makes much of a difference.

I've also seen posts that the later was only used in PHP versions <= 4 because PHP was still using the
global at this point and this was the way PHP coders used to determine the source of certain request paramters. I'm not sure how accurate that last statement is, because the questions being posed in the older posts are the same as mine. They use the post global and not request. However, this is a more recent post than any of the others (2011), and from a source I've come to trust. So I'm not sure what to make of it.

And what to do when checking for get? I've seen a couple of places say that the server request method doesn't seem to work in this instance, and I can only assume that it is because post supercedes get and the request method can only hold one paramter. So if you have both post and get data what do you do? A comment on one of these posts suggests using the request global instead of post and get, but I've been under the impression that is a bad idea.

This is the most recent source I could find, and I did so by looking through the similar questions on the side before submitting. It is specifically asking about using a submit value to check if the form was passed, but it does also mention the request method. A lot of it seems to indicate that the later is still being used commonly. So is this advice still valid? Is checking the request method still the best option?

Answer Source

Yes, it's still there, and it's still 100% reliable. The $_SERVER["REQUEST_METHOD"] var is set by PHP itself, based on the actual request method used by the user's connection. A user can't send in a query paramter or otherwise influence the value of that var, other than by changing the type of request.

Your if(!$_POST) is not reliable, because it IS possible to perform a post but not send any data across it, e.g:

<form method="post">
<input type="submit" />

will produce just such an empty $_POST array - there are no named form elements in the form, so no data will be sent, yet a POST has still be performed.

I would not worry about PHP4 not having this superglobal. PHP 4 is a stone age version, and code which supports v4 but built on v5 will have to contain so many ugly/disgusting hacks to achieve backwards compatibility that anyone having to work on that code would suffer from nightmares. PHP 4 should be considered dead and gone.