View Full Version : $_POST vs $HTTP_POST_VARS - which one is recommended? I forget...

03-26-2003, 03:16 AM
Hmmm, seems like only yesterday that the PHP site was harping on about how we should use $HTTP_POST_VARS and friends instead of the equivalent $_POST - at least, I think they were, or maybe I got confused.

Now it seems that $_POST style is recommended over $HTTP_POST_VARS style, in part because the $_POST style ones are apparently superglobals...? Hmmm...

Any thought on this, anyone? Which are you "supposed" to use (both are supported) plus the advantages etc.

I have found in some cases I have had to declare $_POST inside a function, which I should not have to do, and of course that tends to muck things up a bit, which is why perhaps I should stick to the other way...?

::] krycek [::

03-26-2003, 05:10 AM
Use $_POST because like you said it's superglobal. In new versions of php register globals are turned off be default.

Here is what php.net has to say about them both

Note: Introduced in 4.1.0. In earlier versions, use $HTTP_POST_VARS.

An associative array of variables passed to the current script via the HTTP POST method. Automatically global in any scope.

This is a 'superglobal', or automatic global, variable. This simply means that it is available in all scopes throughout a script. You don't need to do a global $_POST; to access it within functions or methods, as you do with $HTTP_POST_VARS.

$HTTP_POST_VARS contains the same initial information, but is not an autoglobal. (Note that HTTP_POST_VARS and $_POST are different variables and that PHP handles them as such)

If the register_globals directive is set, then these variables will also be made available in the global scope of the script; i.e., separate from the $_POST and $HTTP_POST_VARS arrays. For related information, see the security chapter titled Using Register Globals. These individual globals are not autoglobals

03-26-2003, 05:14 AM
kinda like I thought, then :) cheers! :thumbsup:

::] krycek [::

03-27-2003, 05:15 AM
pre $_POST users were encouraged to use $HTP_POST_VARS as a secure alternative to $post_variable.

"I have found in some cases I have had to declare $_POST inside a function"

then you have issues elsewhere , $_POST is always global in scope ... note that


are in fact 2 different variables which does sometimes cause confusion , especially when $_POST[variable] will take on the value of $_POST['variable'] (if exists) if 'variable' is not defined.