过滤器vs $ _POST（或$ _GET）

Question

Which one are you supposed to use, to check if a form submit button has been clicked?

<input type="submit" name="action" value="Sign Up">

1. if (isset($_POST['action'] && $_POST['action'] == "Sign Up") ... or
2. if (isset(filter_input(INPUT_POST, 'action')) && filter_input(INPUT_POST, 'action') == "Sign Up")

NB: I use $_POST['action] == 'Sign Up', because I use the 'action' array for delete and logout as well, and because some of my forms have two submit buttons, so I can differentiate).

Answer 1

Assuming you have <form method="post" ...> , you should use $_POST . You can check for a single field, for example:

if ( isset($_POST['action']) )

or any field:

if ( 0 < count($_POST) )

or check request method:

if ( $_SERVER['REQUEST_METHOD'] === 'POST' )

or a combination of above :)

I don't recommend checking submit button's value, if it changes, you need to modify the code as well. Not to mention what will you need to do if the site is or becomes multi lingual.

Answer 2

Not actually answering the question. But I would give the different submit-buttons different name 's, so they are not bound to the value which is displayed on the button. Which in turn makes it less error prone to change the text on the button.

For instance name='signup' or name='action[signup]' .

And check with isset($_POST['signup']) or isset($_POST['action']['signup']) respectively.

Answer 3

I'm not sure, but I think I bumped into this problem once: Forms can be posted by pressing enter, in which case no value for the button is posted. So I would strongly discourage to use three different submit buttons for three such different actions. Instead, I'd use three forms, and use another way to distinguish between them, like putting a hidden field in them or posting to a different url (or put something like ?action=signup in the forms action attribute.

Answer 4

If it's just the exact value of an input you want while expecting a very specific value, just use #1.

Using filters can save the amount of code needed. As opposed to writing out all the code needed to check if an IP address you're given is, say not on a private range, you can reduce the code to just this...

$var = "192.168.2.1";
echo (int) filter_var($var, FILTER_VALIDATE_IP, FILTER_FLAG_IPV4 | FILTER_FLAG_NO_PRIV_RANGE); // 0

See http://www.php.net/manual/en/filter.filters.validate.php for additional filter types and option flags. Additionally, you can pass the value to a callback function to customize how you filter data.

You can also change/sanitize the input with less code. See http://www.php.net/manual/en/filter.filters.sanitize.php

$var = "te)st@test.com";
echo filter_var($var, FILTER_SANITIZE_EMAIL); // "test@test.com"

Though using filter_x functions allows for writing out less code, I personally have no idea how it performs compared to being handled by actual verbose code nor do I personally know exactly how reliable the filters and sanitizers are.

Answer 5

For just checking if it's there, you don't need filter_var . isset alone is sufficient.

Answer 6

The first one is the right one:

if (isset($_POST['action'] && $_POST['action'] == "Sign Up") ...

Because using a function in isset will trigger a parse error. Only variables can be used with isset and other language constructs like empty .