Reputation: 10447
How to check for both POST and GET data whilst using filter_input?
I'm wondering if it's possible to get a variable whether it is in POST or GET and then use filter_input() to sanitize it.
At first I thought that $var = filter_input(INPUT_POST | INPUT_GET, "var", FILTER_SANITIZE_STRING) might work, however it doesn't and the PHP manual states you can only pass one type of input.
I also tried INPUT_REQUEST, which strangely didn't work. The function recognises it (i.e. it doesn't throw up an error saying I've put something wrong in $input), yet it won't get any code. And yes, I know not to use INPUT_REQUEST in a live environment, I was just purely testing to see if it would work.
Currently I do the following:
$var = filter_input(INPUT_POST, "var", FILTER_SANITIZE_STRING);
if(!$var) $var = filter_input(INPUT_GET, "var", FILTER_SANITIZE_STRING);
however with many things in PHP, there is often simpler way that will do it all for me in one command. I'm wondering if that is the case here, can I combine them into one check? I performed a cursory search on Google and couldn't even find any references to anyone trying this before, let alone a solution, so now I turn to you good folks.
Upvotes: 6
Views: 4144
Answers (6)
Reputation: 109
Old topic, but for some cases it can be handy
$var = filter_var($_REQUEST['var'], FILTER_SANITIZE_STRING, FILTER_FLAG_STRIP_LOW);
Upvotes: -1
Reputation: 3651
A little bit late to the party. I had the same probem. My solution for this case is a approch like this:
$data = array_merge(filter_input_array(INPUT_POST), filter_input_array(INPUT_GET));
$var = $data["var"];
If you need to sanitize before use the options from filter_input_array: http://php.net/manual/de/function.filter-input-array.php
For example:
$args = array(
'var' => FILTER_SANITIZE_STRING
);
And combined:
$data = array_merge(filter_input_array(INPUT_POST, $args), filter_input_array(INPUT_GET, $args));
$var = $data["var"];
Upvotes: 2
Reputation: 1264
If you sanitize properly your input, I would personally test the result of filtre_input for null, because the if(!$var) condition could be triggered by a falsy but existing value like 0.
For instance :
function getLatitude($name) {
$var = filter_input(INPUT_POST, 'latitude', FILTER_SANITIZE_NUMBER_FLOAT, FILTER_FLAG_ALLOW_FRACTION);
if($var === null){
$var = filter_input(INPUT_GET, 'latitude', FILTER_SANITIZE_NUMBER_FLOAT, FILTER_FLAG_ALLOW_FRACTION);
}
return $var;
}
With the usual !$var condition and FILTER_SANITIZE_NUMBER_FLOAT, you will get a null value instead of 0.
Upvotes: 0
Reputation: 11026
I think there isn't a better approach than making a custom function with the code you already mentioned:
function getPostOrGet($name) {
$var = filter_input(INPUT_POST, $name, FILTER_SANITIZE_STRING);
if(!$var) $var = filter_input(INPUT_GET, $name, FILTER_SANITIZE_STRING);
return $var;
}
And if you think in it is normal you can't use the | operator because then what happened if it's defined in both.
Also note that, as it's a bad practice, it doesn't have an "easy" way of doing it. So use a custom function if you really need it, and use only the correct input type if you can.
Upvotes: 2
Reputation: 94
From what i read you could change the value POST in your form to GET - that way you only need to accept GET - not sure if i understood it the right way.
Upvotes: 0
Reputation: 57703
It's considered bad practice if you don't know whether your input is in GET or POST. You should always know and not just randomly accept whatever.
Upvotes: 3
Related Questions
- Filter_input false, $_POST has data
- PHP - Using filter_input, isset and other
- If it possible to use filter_input (POST or GET) function inside a class in php
- PHP's new input_filter does not read $_GET or $_POST arrays
- PHP - When to filter user input
- Why is filter_input returning NULL when the variables exist?
- Why does filter_input() not pick up arbitrary POST data?
- validation if filter_input returns false
- filter all get/post and use some information
- filter get and post values