if($_SERVER['REQUEST_METHOD'] == 'POST') vs isset['submit']?

I see these days programmers started using if($_SERVER[‘REQUEST_METHOD’] == ‘POST’) method instead of Isset($_POST[‘submit’], is it most effective to use the first one?

if($_SERVER['REQUEST_METHOD'] == 'POST') and if(isset($_POST['submit'])) - any derivatives of if(isset($_POST[...])) work differently, but have the same goals in mind. They both are used to check if form submissions were correctly done. One of those are wrong because it’s a “hack” way of checking for form submissions.

if(isset($_POST[...])) is mostly used by beginner PHP programmers. If they are matured and have some kind of PHP knowledge, but still use if(isset($_POST[...])), then they are the ones keeping the legacy going.

if($_SERVER['REQUEST_METHOD'] == 'POST') is actually the correct way of checking for form submissions.

What if(isset($_POST[...])) is looking for is, it’s checking whether the field or part of the array that gets passed through $_POST contains the submit field or submit name attribute. This will fail in some IE browsers when the user hits Enter on a text field instead of clicking the button.

Relying on the button to be clicked is not really a way you should also be going about form submissions. Relying on certain names for form submission checking is rather a horrible and amateur way of doing it. People using a modern day web browser now have developer tools at their disposal. It’s not hard for an average Joe who doesn’t have any IT degree or any IT knowledge to go and click on things. They can modify anything on their side. This means anything that is HTML, Javascript, or even CSS, they can modify or save to their local machines and modify it and then re-submit it to the same action page to make it look legit.

So compassing what I have just said, anyone can modify your web page on their side. This means they can use developer tools on their web browser and delete elements that are required for validation on your server side. This means that they can delete say the Submit button. This in turn will cause your form to fail based on logic.

If the user submits the form via pressing the Enter key on a text field and deletes the Submit button on their side, does that count as NOT submitting the form? Because I’d like to beg for differ.

So what I suggest is to use the correct one.


Because the purpose of this function is to CHECK whether the request was done via $_POST or $_GET. $_POST are almost always done in some kind of form whether it’d be through Javascript or HTML, you’re still submitting the form. $_GET is usually through the URL or link. $_GET can also be passed through Javascript using a GET declaration.


Another way around the IE issue (That I have used in the past) is to have a hidden input element in your form, something like this

<input type="hidden" name="action" value="submit">

then you can simply do the following

if (isset($_POST['action']) && $_POST['action'] === 'submit') {
  /* Code Goes Here */

though it’s probably just as easy to use $_SERVER[‘REQUEST_METHOD’], but remember to sanitize it before going onto a remote website.

Can you explain why sanitation is required when checking to see if the request method is POST? If you are trying to use the value for something else (maybe logging?) then sure but a simple compare? Will PHP even allow an unknown value through?

Indeed, thanks mate for the brief info, will definitely go for the first one.

This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.