1

I'm learning PHP and specifically how to secure php forms.

I'm reading an article entitled "Sanitize and Validate Data with PHP Filters" wherein the author checks if the form was submitted using the following code:

if (isset($_POST['Submit'])) { // do something... }

Which does work, but I've read that its best to use input filters (i.e. filter_input).

Secondly, using filter_input would also stop netbeans from nagging me about not "accessing the superglobal $_POST Array directly"

So I wrote the following:

function is_form_submit() { $request = filter_input(INPUT_SERVER, "REQUEST_METHOD"); return $request === 'POST' ? true : false; }

Which could be used like so:

if ( is_form_submit() ) { // do something... }

So my question is: doesn't my code achieve the same thing? If not, why not. Please advise.

Improve this question
5
  • 1
    isset($_POST['Submit']) only works if you have an input element with the name "Submit" whereas $_SERVER['REQUEST_METHOD'] === 'POST' is a more generic solution. To check specifically for a form submission, you could check whether the content type is application/x-www-form-urlencoded or multipart/form-data Commented Apr 14, 2014 at 3:15
  • 3
    also... return $request === 'POST' ? true : false; === return $request === 'POST'; Commented Apr 14, 2014 at 3:16
  • you can also check simply if (!empty($_POST)),normally i used to check the submitted value Commented Apr 14, 2014 at 3:16
  • I usually do a isset with the default parameters that are always sent plus I have tokens sent with each post and validating them tells me that the post was submitted and came from my form. Commented Apr 14, 2014 at 3:16
  • well, filter_input() requires PHP 5.2+ and it is probably slower than isset() (not tested) Commented Apr 14, 2014 at 3:18

2 Answers 2

Reset to default
1

While your code would achieve the same result in most cases, it is not the same as the isset call.

What your code does is checks if the REQUEST_METHOD is POST. That is, it checks if the user made a POST request to access the current page.

What the isset does is checks if something with the name of Submit was sent via POST. This usually happens when your submit button is <input name="Submit" type="submit" value="Submit" />, as clicking that (or hitting enter in a text field and it's the first submit button) will result in $_POST['Submit'] being set.

To see the different behaviours, compare the results of curl -X POST your-url.com/page.php with curl -F Submit=submit your-url.com/page.php.

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

I ran both commands on the page with the form. They both loaded the page. What should I be seeing?
I marked this as the answer as this was the clearest answer for me. however, I still dont get what I was "supposed" to see by running the curl commands you posted.
If you use the isset check only, then the first command won't work, whereas the second will. If you use the filter_input check, then both will work.
1

filter_input is untouched user input.

Some scripts add/modify $_POST and $_GET directly. Fine if your code is fail-safe, but if something goes wrong with the manipulated keys/values, there could be errors.

filter_input( INPUT_POST, 'requiredID' )

Would not be affected by the type of coding below

$_POST['requiredID'] = brokenFunction( $_POST['requiredID'] );
Improve this answer

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.