Sure it is. Try something like: <?php print_r($_GET); print_r($_POST); ?> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> <title>Test</title> </head> <body> <form name="testform" method="post" action="<?php echo $_SERVER['PHP_SELF'];?>?testget=testgetvalue"> <input name="testpost" type="text" id="testpost" value="testpostvalue"> <input type="submit" name="Submit" value="Submit"> </form> </body> </html> PHP:
Yes, it is. However, you should use some specific logic when using request data in this manner. You should also be absolutely sure that you only accept data from the expected request method. For example, let's say you have a crm or other account / customer related record. You can use something like: <form action="/process_form.php?account=some_account_id" /> You would then process the form to update the $_GET account, with the posted variables. IMO it is a superior method of dealing with a record specific form than using a hidden input as long as it is used properly. The risk (which is easily avoidable) would be processing the form using $_REQUEST['account']. If someone spoofed the $_REQUEST['account'] request variable, they could inject malicious or incorrect data. Anyway, point being, if you do use this method, make sure you know what should be $_GET and what should be $_POST.
I don't see what the risk is with $_REQUEST['account']. $_GET or $_POST can just as easily be spoofed. It's best to just not ever use $_REQUEST and know where your variables are supposed to be, $_GET or $_POST. Anyway, I think hidden input fields are a superior method, at least for things like IDs. You do not want people messing around with parameters, etc. Though it doesn't really matter. Ofcourse, if you use the same script to handle both your view (the get request) and update (the post request) then you could put it in your query string just in case they want to for whatever reason save the URL to return to later..
Yes. Set the forms "method" to POST and attach the GET variables to the address in the forms "action".
REQUEST is sloppy coding, and yes the others can be spoofed, but you should always know where your data is coming from. Let's say you have a form. <form action="process.php" /> <input type="text" name="account" value="1" /> </form> On the process.php page you process the account variable. Let's say someone is trying to exploit your script. They instead post to: process.php?account=2 They also create an 'account' cookie, with a value of 3. //$_GET['account'] = 2; //$_POST['account'] = 1; //$_COOKIE['account'] = 3; What is $_REQUEST['account']???
Well, prior to PHP 5.3.0 it's going to be the $_COOKIE, based on variables_order. Since php 5.3.0 you can now specify a request_order directive specifically for this. Anyway, I agree that $_REQUEST shouldn't be used, it's just that it was formulated rather strangely in your original post. $_GET and $_POST can just as easily be manipulated.