1

I am working with re-implementing a REST API for which client has no source code and is losing access to server...

I am finding the the caller is sending posts but without posted data. All of the parameters are specified in the URL or what would be the action if it were a posting form.

Like so:

"POST http://foo.com/api/rest/?method=users.add_user&token=foo&section=bar&group=baz HTTP/1.1" 200 605 "-" "-"

To my surprise those parameters are neither in $_GET nor $_POST but only available in $_REQUEST.

Am I missing something here? Why aren't they in $_GET as part of the URL accessed? The obvious answer is "because this is a POST so GET is undefined"?

Can someone educate me on my misconceptions of those super-globals?

Lightness Races in Orbit
  • 378,754
  • 76
  • 643
  • 1,055
jerrygarciuh
  • 21,158
  • 26
  • 82
  • 139
  • 1
    It's a long shot, but $_REQUEST usually also includes $_COOKIE. Is there any chance these same keys are being set in the client's cookies? – Andrew Ensley Feb 16 '12 at 17:35
  • 1
    You are aware that specifying the parameters in the url is "the GET way" for forms and "the POST way" would send them in the http body? I suppose it might have to do with that (i dont know php well enough though). What happens if you use GET as the method? – ZPiDER Feb 16 '12 at 17:37
  • @ZPiDER - the post is coming from a remote script not in my control but my questions are not about debugging that process. – jerrygarciuh Feb 16 '12 at 17:47
  • @Andrew - I don't think so. $_GET and $_POST are entirely empty and $_REQUEST has all the vars from the URL... – jerrygarciuh Feb 16 '12 at 17:49

1 Answers1

2

$_GET and $_POST are empty because you are using the POST protocol, but sending variables through the GET method (encoding them in the URL).

PHP is finding the POST method used, so it sets the information in the $_GET variable to nothing, then parses the variables sent in the form's POST data into the $_POST variable, ie: nothing.

The $_REQUEST variable on the other hand operates on a different mechanic where it will parse all variables from the request whether they came from cookies, multipart data, post, get, etc. Which is why you see them there.

Typically scripts and applications work off the $_REQUEST data anyway as it's a much more concise collection of all the data and since you can't technically ever have GET and POST data in the same request, you don't have to worry about collision between the data sets.

NotMe
  • 87,343
  • 27
  • 171
  • 245
Brian
  • 3,013
  • 19
  • 27
  • Thank you very much. That is exactly what I had failed to learn until today. Much obliged! – jerrygarciuh Feb 16 '12 at 17:59
  • Then how come when I submit a form to `somepage.php?key=blah`, even if there is no POST data, `$_GET['key']` is there? – Niet the Dark Absol Feb 16 '12 at 18:01
  • With one caveat. Sometimes you explicitly only want a variable if it was properly POSTed. In that case checking $_POST and ignoring $_REQUEST is the preferred mechanic. This is usually when you are taking a "destructive" action (one which changes the data in some way) and you really don't want google interfering. – NotMe Feb 16 '12 at 18:02
  • @Kolink I have seen cases where I receive GET variables from a POST request on certain servers/configurations and TBH I've never really bothered to look into why as those cases were "oops I didn't change the form method" instances and I didn't care anyway lol but yeah I've seen rare occurrences of it myself. My guess is there's a bug, but since most people formulate their requests properly when coding and use the appropriate superglobal in the script, I think it's just a case of most people not noticing it, and those who do, fix their mistake and don't care that PHP derped :P – Brian Feb 16 '12 at 18:07