General PHP Question about forms

This isn’t an actual problem. It’s more of a question then anything. The question is why do people choose isset over $_SERVER[‘REQUEST_METHOD’]?

To my understanding, isset is only good if the variable is present. Let’s say a $_GET parameter, that would only be necessary to use an isset if you want a specific $_GET URL. Same thing applies with sessions. If a session is not set, I would normally use isset in case it really isn’t set.

Why do people use isset over $_SERVER[‘REQUEST_METHOD’] when it comes to form posting? Yes, isset is an easy way out and it works just the same, but then in my opinion. It’s not that safe. A user just needs to have the right $_POST variable and poof, your form was manipulated. Using $_SERVER[‘REQUEST_METHOD’] checks to see if the action was made through a POST or GET. That way, even though the user accesses the file via URL, the action of the form won’t begin. On the other hand, if a user accesses the file via URL using the isset method, the variable IS already set since all you really need to do is something like ?q=asdfadfadsf or ?variable=<?php $SQL = $mysqli->prepare("DROP table;"); ?>, then poof. Your table was dropped. This would be SQL injection especially since people still use the old mysql_* libraries even though there were many warnings about not using the old mysql_* functions.

My question is why do people choose these unsafe methods and not the obvious method? I mean I did hear about $_SERVER[‘REQUEST_METHOD’] not working for some browsers like IE 8, but there’s IE 11 as a newer browser which has fixed these bugs.

Just because the request method is POST doesn’t mean that there are no GET.

The problem isn’t which method is used to pass the values - the problem is forgetting to validate the values before moving them out of $_GET and $_POST. Simply copying them to new field names is worse than pointless as it just opens the entire script to injection vulnerabilities. At least if you leave them in the fields they started in then you know they came from the user and can contain anything.

Yeah, sorry I know there’s GET and POST, but most of the time. Everyone goes for POST and not GET. Also, what do you mean by validating the values? Do you mean check to see if the value is the appropriate ones?

Such as if I had

<input type="hidden" name="demo" value="1">

Then I would check to see if the value actually equals 1? Like so


      if($_POST['demo'] == 1) {
              echo "Great call";
      } else {
              echo "Modified value";


Is that correct?

Yeah, that looks right.

BTW - GET is mainly for retrieving information. POST is for giving information. That’s probably why you mainly only see POST.

Yeah, I guess I do see a lot more POST because there are a lot of problems when it comes to updating and inserting into the database for most people.

Wouldn’t validating also mean using regex to see if the right characters are being used? Such as if it was suppose to only be all numbers and someone actually used letters instead?

As far as validating I think there are sanitize filters in PHP. IIRC this is the best way?

I’m no PHP guru though.

Yeah, same here. That’s why I have a lot of questions. But if I ask them all at the same time, I’ll look kind of silly. But umm, do you think that is the only thing that is wrong with most applications? That they don’t validate their user inputs? For me, I just keep thinking it’s because people are using isset and not request_method. I mean it would be more helpful to them because isset is only good if you’re looking for something like so.

if(isset($_SESSION['rest_in_peace'])) {

       if($_SESSION['rest_in_peace'] == "rip") {
              echo "Session was RIP.";
       } else {
              echo "Session was not RIP.";


That’s what I normally use for my logins. I rarely use isset if it’s not a GET or session variable.

There are also validating filters - which you should use where possible for validation.

Validation filters give an error if invalid content is not found so that your visitor can correct their data and try again.

Sanitizing filters are for stripping out invalid characters from fields your visitor shouldn’t have touched so that while the field may not be correct it is at least harmless.

For validating:

  1. use built in functions where possible - eg for fields that are expected to be numeric use is_numeric() if it is supposed to only contain letters use ctype_alpha() and so on.
  2. If a validation filter for the field type exists then use that to perform the validation - eg use if(filter_var($email, FILTER_VALIDATE_EMAIL)) to validate an email address.
  3. Use regular expressions to validate all user inputs that cannot be validated in either of the above two ways.

Do not copy values out of $_GET or $_POST into other fields until after user inputs have been validated and all other inputs have been sanitized.

Then there is a difference between the original fields and the copies you made - you know that the copies contain values that are valid for that particular content (whereas the original $_GET or $_POST can contain anything at all).


This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.