Passing Inputs to PHP Scripts

What Are Inputs?

When users interact with your website, they send data to your PHP scripts. This happens when they:

Click a link with parameters (like products.php?category=shoes)
Submit a form (like a login or contact form)
Use a search box

PHP provides special arrays called superglobals to access this data. The two most important ones are $_GET and $_POST. These arrays are automatically populated by PHP with the data the user sent.

$_GET - URL Parameters

$_GET captures data sent through the URL. This data appears after the ? in a web address and is called the query string.

How Query Strings Work

A query string consists of key-value pairs separated by &:

https://example.com/page.php?id=5&name=John&active=true
                            └─────────────────────────┘
                                    query string

Breaking it down:

id=5 → key is “id”, value is “5”
name=John → key is “name”, value is “John”
active=true → key is “active”, value is “true”

Reading GET Data

PHP automatically parses the query string and populates the $_GET array:

1
// URL: page.php?id=5&name=John
2

3
$id = $_GET['id'];       // "5" (note: it's a string, not a number)
4
$name = $_GET['name'];   // "John"
5

6
echo "User $name has ID $id";

Common Uses for GET

Pagination: articles.php?page=2
Filtering: products.php?category=electronics&sort=price
Search: search.php?q=php+tutorials
Sharing links: Users can bookmark or share URLs with parameters

Important Characteristics

Data is visible in the URL (don’t use for passwords!)
URLs can be bookmarked and shared
Limited to about 2000 characters (varies by browser)
Data is sent when the page loads - no form needed

$_POST - Form Data

$_POST captures data sent through HTML forms when the form’s method is set to “POST”. Unlike GET, this data is sent in the request body, not the URL.

The name attribute on each form input determines the key in $_POST:

1
// If a form has <input name="username"> and <input name="email">
2
$username = $_POST['username'];
3
$email = $_POST['email'];

POST is used for sensitive data (passwords), large data, and actions that modify data (creating accounts, submitting orders).

GET vs POST

Feature	GET	POST
Data location	URL query string	Request body (hidden)
Visible in URL	Yes	No
Bookmarkable	Yes	No
Data limit	~2000 characters	No practical limit
Browser back button	Safe to repeat	May warn about resubmission
Saved in browser history	Yes	No
Cached by browser	Yes	No
Logged by servers	Yes (in access logs)	Usually not
Security for sensitive data	Never use	Preferred (with HTTPS)
Use for	Retrieving/reading data	Submitting/changing data

When to Use Each

Use GET when:

Displaying or searching for information
The action can be repeated safely (viewing a page twice is fine)
You want users to bookmark or share the URL
Examples: search results, filtered product lists, pagination

Use POST when:

Submitting sensitive information (passwords, personal data)
Creating, updating, or deleting data
The action should not be accidentally repeated
Examples: login, checkout, posting a comment

Think of it this way: GET is like asking a question (“show me product #5”), POST is like giving an instruction (“create this new user”).

$_REQUEST

$_REQUEST is a superglobal that combines data from both $_GET and $_POST (and $_COOKIE).

1
// Works whether 'id' came from GET or POST
2
$id = $_REQUEST['id'];

Why You Should Avoid $_REQUEST

While convenient, $_REQUEST has drawbacks:

Unclear data source: You can’t tell if the data came from the URL or a form
Security concerns: An attacker might send GET data when you expected POST
Harder to debug: When something goes wrong, you don’t know where to look

Best practice: Always use $_GET or $_POST explicitly. It makes your code clearer and more secure.

1
// Unclear - where did this come from?
2
$id = $_REQUEST['id'];
3

4
// Clear - this came from the URL
5
$id = $_GET['id'];
6

7
// Clear - this came from a form
8
$id = $_POST['id'];