>>> Programming >> PHP > How to get a request from a post or from location (This page has been seen 962 times)
How to get a request from a post or from location
Click here to try the new function for getting requests easier.
This example shows you how to get a request from a post or a location/url
$Name = $_REQUEST['Name'];
This is a very simple approach. The way i usually do it is like this
$Name = isset($_REQUEST['Name']) ? $_REQUEST['Name'] : "";
What this does is that it uses the isset command to set the variable. if you dont use this then if the $_REQUEST['Name'] is not defined then you wont set the variable $Name. The other thing im doing here is set the variable only if it contains something, otherwise im just setting it blank.
Lets break it down so you can se what this operator means.
This is how you would do it with an IF statement
if(!empty($_REQUEST['Name']))
$Name = $_REQUEST['Name'];
else
$Name = "";
We are actually doing the same with the ? and : signs.. First you can se the isset($_REQUEST['Name']) the followed by the ?. If there is something in the request then it will set the variable with what you define after the ?. Which means that if it is not empty then $Name will now contain whats in $_REQUEST['Name']. Otherwise it will use whats after the : which in our example is "", which is nothing.
Now usually when you do this you want to make it database save. That means you want to escape special characters in the $_REQUEST['Name'] because if someone post something like this to your site "my name is foo'bar" Then if you just insert the $Name variable into your database it will escape your string. Why. because it has a single quote in it. "'" this sign. When you are inserting something into a text field or any other field on SQL Server that can contain text, it is put into a '$Name' to insert it into the database.
Here is an example
INSERT TABLE (MyTextField) values ('$Name')
Now if you dont escape the "foo'bar" that the user posted in the $Name variable. then you will break the insert statement because SQL server thinks that you are actually closing the statement, and a user could exploid this and execute code to your SQL server. There is actually functions in PHP that can unescape these special characters and the addslashes command would add a \ before the ' sign, which would escape it so it wouldnt be taken litterally. The way i do it is i have made a little function that replaces all ' with a second ', so one ' would be ''. When inserted into sql server it will count as 1 but wont break your insert statement.
Here is the function
function fixString($data) {
$data = str_replace("'", "''", $data);
return $data;
}
So now when you have this function you can make your request like this instead
$Name = fixString(isset($_REQUEST['Name']) ? $_REQUEST['Name'] : "");
This will make the request database safe
Another example, lets say you want to request the value from a checkbox and insert it into the database the easiest way would be
$Checkbox1 = fixString(isset($_REQUEST['Checkbox1']) ? "1" : "null");
As you can se here we are saying if the $_REQUEST contains something then set $Checkbox1 = 1, else set it to null. If a checkbox is checked and not defined as an array then PHP will read it as ON, that is actually the value you are getting. So we are saying if $_REQUEST is true, and it will be if it is checked because ON is passed then we will set the $Checkbox1 variable to 1, else set it to null. We wanna do this to make it easy to insert into a database, if you have a int field or a bit field, it is a good idear to set it to NULL if you are not using it. And it is easier to filter on when you do your selects from the SQL server.
That actually also does that you do not need the fixString function for this because the user cannot manipulate with the $_REQUEST because you are controlling what the $Checkbox1 variable will contain.
This example shows you how to get a request from a post or a location/url
$Name = $_REQUEST['Name'];
This is a very simple approach. The way i usually do it is like this
$Name = isset($_REQUEST['Name']) ? $_REQUEST['Name'] : "";
What this does is that it uses the isset command to set the variable. if you dont use this then if the $_REQUEST['Name'] is not defined then you wont set the variable $Name. The other thing im doing here is set the variable only if it contains something, otherwise im just setting it blank.
Lets break it down so you can se what this operator means.
This is how you would do it with an IF statement
if(!empty($_REQUEST['Name']))
$Name = $_REQUEST['Name'];
else
$Name = "";
We are actually doing the same with the ? and : signs.. First you can se the isset($_REQUEST['Name']) the followed by the ?. If there is something in the request then it will set the variable with what you define after the ?. Which means that if it is not empty then $Name will now contain whats in $_REQUEST['Name']. Otherwise it will use whats after the : which in our example is "", which is nothing.
Now usually when you do this you want to make it database save. That means you want to escape special characters in the $_REQUEST['Name'] because if someone post something like this to your site "my name is foo'bar" Then if you just insert the $Name variable into your database it will escape your string. Why. because it has a single quote in it. "'" this sign. When you are inserting something into a text field or any other field on SQL Server that can contain text, it is put into a '$Name' to insert it into the database.
Here is an example
INSERT TABLE (MyTextField) values ('$Name')
Now if you dont escape the "foo'bar" that the user posted in the $Name variable. then you will break the insert statement because SQL server thinks that you are actually closing the statement, and a user could exploid this and execute code to your SQL server. There is actually functions in PHP that can unescape these special characters and the addslashes command would add a \ before the ' sign, which would escape it so it wouldnt be taken litterally. The way i do it is i have made a little function that replaces all ' with a second ', so one ' would be ''. When inserted into sql server it will count as 1 but wont break your insert statement.
Here is the function
function fixString($data) {
$data = str_replace("'", "''", $data);
return $data;
}
So now when you have this function you can make your request like this instead
$Name = fixString(isset($_REQUEST['Name']) ? $_REQUEST['Name'] : "");
This will make the request database safe
Another example, lets say you want to request the value from a checkbox and insert it into the database the easiest way would be
$Checkbox1 = fixString(isset($_REQUEST['Checkbox1']) ? "1" : "null");
As you can se here we are saying if the $_REQUEST contains something then set $Checkbox1 = 1, else set it to null. If a checkbox is checked and not defined as an array then PHP will read it as ON, that is actually the value you are getting. So we are saying if $_REQUEST is true, and it will be if it is checked because ON is passed then we will set the $Checkbox1 variable to 1, else set it to null. We wanna do this to make it easy to insert into a database, if you have a int field or a bit field, it is a good idear to set it to NULL if you are not using it. And it is easier to filter on when you do your selects from the SQL server.
That actually also does that you do not need the fixString function for this because the user cannot manipulate with the $_REQUEST because you are controlling what the $Checkbox1 variable will contain.
Like (4)
Dislike (0)
Keywords for this article:
REQUEST || ISSET || ESCAPE || ADDSLASHES
Advertisement by Google
Comment:
Code Language:
Code:
Here you can paste a code example. It will then be processed by SyntaxHighlighter and formatted for easier readability.
Please remember to select the correct Code Language in the select above so the SyntaxHighlighter can highlight the code properly.
Code:
Please enter the code you see above
What is 3 + 1 =
Thanks