PHP $_POST VS $_GET VS $_REQUEST
“Christ is our star of Hope. I want my death-bed to be under that star.” - Thomas De Witt Talmage
this have been one of the issues that have been bugging me lately. i’ve been using php for quite sometime now and i haven’t have the chance to delve deeper into this subject.
as far as i know $_REQUEST is the best way to access data from the html form. basically $_REQUEST can be used either in POST or GET method in a form. but as i study it more deeply i found something quite disturbing about it.
basically $_REQUEST can be used to inject sql statement out of php scripts, which is not very good. this can very much lead to attacks and intrusion on any internet or network application.
sql injection will look something like this on the browser
www.samplewebsite.com/?username=admin&password=password
maybe on my later post, i will write something about sql injection. as for now i will focus on $_POST, $_GET and $_REQUEST.
now what about $_GET. the $_GET method displays all the form variables as well as its values in the browser’s address bar which is again can be used for injection. if ever no sensitive information is being submitted, $_GET or $_REQUEST is very much okay to use.
now what about $_POST? this method hides the variables as well as its values until being called or echoed. this method prevents the value and data from being seen by other user.
all my projects from now on will be submitted using $_POST. it may not be a sure fire method to protect my applications from would be attackers but a little prevention is better than none.
