This answer explains why very well. The $_SERVER method is more robust, but not precise. The $_SERVER method is good if you do not care what was posted to the server. The $_POST method s great if there are multiple submissions and it matters what was picked. As long as you sanitize then either method is good in my opinion. For example:
$submit = filter_input(INPUT_POST, 'action', FILTER_SANITIZE_FULL_SPECIAL_CHARS);
if (isset($submit) && $submit === 'login') {
$username = filter_input(INPUT_POST, 'username', FILTER_SANITIZE_FULL_SPECIAL_CHARS);
$password = filter_input(INPUT_POST, 'password', FILTER_SANITIZE_FULL_SPECIAL_CHARS);
$result = $users->read($username, $password);
if ($result) {
after_successful_login();
}
}
I take it one step further by doing this in my forms →
<input type="hidden" name="action" value="login">
instead of the relying on the submit button. However, if you want to be 100 percent sure (well nothing on the net is 100 percent) then just stick to $_SERVER. I’m personally not doing any banking transactions or something that requires NSA type security, so I just use $_POST for my websites. I do my due diligence with other security measures that I have learned from reputable online resources (Lynda.com and Treehouse.com).