Can't wrap my head around this $_GET and $_POST

dtliao0303 · October 17, 2013, 8:38am

[FONT=Arial]Hello I’m new to PHP and I’m currently going over Kevin Yank’s book “PHP & MySQL: Novice to Ninja”

From reading the book and looking up W3C my understanding is that if someone use method=“get” in your html form, then you use $_GET to retrieve that data, same for method=“post”, then you use $_POST.

In the book we setup a joke database and use PHP and html to display all the jokes, then we added the function to delete jokes using a hidden form.

Here’s part of the code: (NOTE that it uses method=“post”)[/FONT]

<?php foreach ($jokes as $joke): ?>
	<form action="?deletejoke" method="post">		
		<blockquote>
			<p>
				<?php echo htmlspecialchars($joke['text'], ENT_QUOTES, 'UTF-8'); ?>
				<input type="hidden" name="id" value="<?php echo $joke['id']; ?>">
				<input type="submit" value="Delete">
			</p>
		</blockquote>
	</form>
<?php endforeach; ?>

[FONT=Arial][B]and in the PHP code that runs the sql query:

how come it’s using $_GET??? I didn’t notice this at first and typed $_POST instead of $_GET, and it turns out it didn’t work until I change it to $_GET.[/B][/FONT]

if (isset($_GET['deletejoke']))
{
	try
	{
		$sql = 'DELETE FROM joke WHERE id = :id';
		$s = $pdo->prepare($sql);
		$s->bindValue(':id', $_POST['id']);
		$s->execute();
	}
	catch (PDOException $e)
	{
		$error = 'Error deleting joke: ' . $e->getMessage();
		include 'error.html.php';
		exit();
	}
	
	header('Location: .');
	exit();
}

chris_upjohn · October 17, 2013, 9:14am

Hi dtliao0303 and welcome to SitePoint,

The reason $_GET is used is because deletejoke is part of the browsers query string which is always made via a GET request method, however if we use POST as the request method as done in your example all the input fields become part of the POST request as well as deletejoke but because it’s still part of the query string it’s still accessible via $_GET. The easiest way to remember if you should use $_GET or not is by looking at what’s in the query string, if something is not there then it means a different request method was used.

Hope that helps.

dtliao0303 · October 17, 2013, 4:02pm

Thank you for the explanation Chris!

Michael_Morris1 · October 17, 2013, 6:31pm

$_GET is intended for read operations. $_POST is intended for write operations. While it’s certainly possible to mix the two by putting URL parameters in the action attribute, it’s not advised. Browsers bookmark and cache $_GET requests. They do not do so for $_POST operations.

dtliao0303 · October 18, 2013, 2:49pm

By mix the two, do you mean using ?deletejoke for the action attribute and method=post, but using $_GET in the PHP?

Michael_Morris1 · October 18, 2013, 3:50pm

Yes. But to clarify…

Anything you put in the action parameter of the form after the ? will be passed as a get parameter. If the form’s method is set to post the result is the two will become mixed. This can be quite troublesome.

dtliao0303 · October 18, 2013, 5:45pm

Hi Michael thanks for the clarification.

I’m wondering what could be a better solution?

Because I’m new to this and I’m just following the book. My understanding is that in the book he uses the ? to have the information pass from the template file(HTML file) back to a controller script (a PHP file containing all PHP only), but uses $_POST to avoid the URL from showing information that’s being sent.

Also, what kind of issue it will cause if the two is used together?

Michael_Morris1 · October 18, 2013, 6:28pm

The largest issue occurs when the programmer on the backend is lazy and uses $_REQUEST, which is a blend of $_POST and $_GET. Use of $_REQUEST is bad practice.

Another issue is this


<form action="?action=fetch" method="get">
  <input type="hidden" name="action" value="dontfetch">
</form>

When that form is submitted, what will be the value of $_GET[‘action’]? Answer - I don’t know without looking it up, and I would NOT be surprised to find it varies between browsers. And if I don’t know after doing this nearly a decade, I imagine most programmers won’t. It’s ambiguous and confusing.

Even if we change the method of the form to $_POST, the $_REQUEST[‘action’] variable’s contents cannot be reliably predicted. Request loading order defaults to GPC (Get, Post, Cookie), but it can be changed in the php.ini file or .htaccess file so confusion can again be fast to occur.

I just find that it is best to send all parameters within the same method. If you’re posting, send everything in the $_POST array.

dtliao0303 · October 18, 2013, 6:36pm

hmm… I’m not sure I get everything, but thank you so much for trying to help! : )