Just a note, because I didn't know for sure until I tested it.
If you have a query string that contains a parameter but no value (not even an equals sign), like so:
http://path/to/script.php?a
The following script is a good test to determine how a is valued:
<pre>
<?php
print_r($_GET);
if($_GET["a"] === "") echo "a is an empty string\n";
if($_GET["a"] === false) echo "a is false\n";
if($_GET["a"] === null) echo "a is null\n";
if(isset($_GET["a"])) echo "a is set\n";
if(!empty($_GET["a"])) echo "a is not empty";
?>
</pre>
I tested this with script.php?a, and it returned:
a is an empty string
a is set
So note that a parameter with no value associated with, even without an equals sign, is considered to be an empty string (""), isset() returns true for it, and it is considered empty, but not false or null. Seems obvious after the first test, but I just had to make sure.
Of course, if I do not include it in my browser query, the script returns
Array
(
)
a is null
$_GET
$HTTP_GET_VARS [deprecated]
(PHP 4 >= 4.1.0, PHP 5, PHP 7)
$_GET -- $HTTP_GET_VARS [deprecated] — HTTP GET variables
Descrizione
An associative array of variables passed to the current script via the URL parameters.
$HTTP_GET_VARS contains the same initial information, but is not a superglobal. (Note that $HTTP_GET_VARS and $_GET are different variables and that PHP handles them as such)
Log delle modifiche
| Versione | Descrizione |
|---|---|
| 4.1.0 | Introduced $_GET that deprecated $HTTP_GET_VARS. |
Esempi
Example #1 $_GET example
<?php
echo 'Hello ' . htmlspecialchars($_GET["name"]) . '!';
?>
Assuming the user entered http://example.com/?name=Hannes
Il precedente esempio visualizzerà qualcosa simile a:
Hello Hannes!
Note
Nota:
Questa è una variabile 'superglobale', o automaticamente global. Ciò semplicemente significa che è visibile in tutti gli ambiti in uno script. Non è necessario dichiararla come global $variable; per accedervi da funzioni o metodi.
Nota:
The GET variables are passed through urldecode().
add a note
User Contributed Notes 16 notes
John Galt ¶
8 years ago
DimeCadmium ¶
4 days ago
Do NOT, as some people have recommended, "pre-clean" $_GET (or $_POST) at the top of your pages. First, you will almost certainly not clean it properly (since the method of cleaning depends on how it's being used - i.e. is it being output within HTML, or in a text/plain page, or maybe in an image or PDF or email? Or better yet is it going to a database?). But much worse, it will introduce subtle issues and will almost certainly lead to things being double escaped.
Take it from someone who is getting paid for hours and hours of work fixing an old application which took this approach (calling mysqli_real_escape_string on "everything"* in $_POST/$_GET). Please don't do it.
(*: it actually misses some stuff - it doesn't escape anything in an array in $_GET i.e. ?foo[]=some+bad+SQL+injection+here ! If you're going to do it at least do it right... you'll need a recursive function and you'll need to do it for $_POST, $_GET, and $_REQUEST, at the very least. Probably $_COOKIE as well. You'll also need to be sure you don't use php://input or similar anywhere... or, just, be sure you don't take any kind of input from any other source...)
david ¶
1 month ago
GET can be cached, remain in browser history, be bookmarked and have lenght limit but POST does not do that.
protocol://domainname/path?querry=parameters
chris at bjelleklang dot org ¶
7 years ago
Please note that PHP setups with the suhosin patch installed will have a default limit of 512 characters for get parameters. Although bad practice, most browsers (including IE) supports URLs up to around 2000 characters, while Apache has a default of 8000.
To add support for long parameters with suhosin, add
suhosin.get.max_value_length = <limit> in php.ini
timberspine _AT_ gmail _DOT_ com ¶
10 years ago
Note that named anchors are not part of the query string and are never submitted by the browser to the server.
Eg.
http://www.xyz-abc.kz/index.php?title=apocalypse.php#doom
echo $_GET['title'];
// returns "apocalypse.php" and NOT "apocalypse.php#doom"
you would be better off treating the named anchor as another query string variable like so:
http://www.xyz-abc.kz/index.php?title=apocalypse.php&na=doom
...and then retrieve it using something like this:
$url = $_GET['title']."#".$_GET['na'];
Hope this helps someone...
nggit at anggit dot com ¶
1 year ago
Sometimes I do not want to use isset() or array_key_exists() to check the index exists or not, but rather choose to define in advance. Union array operator is pretty handy for me:
<?php
$_GET += array('foo' => null, 'bar' => null); // define
echo $_GET['foo'];
echo $_GET['baz']; // Notice: Undefined index: baz in...
?>
Anonymous ¶
3 years ago
There is a smart way to protect the $ _GET input from malicious injection and options for inserting default values:
<?php
// Smart GET function
public function GET($name=NULL, $value=false, $option="default")
{
$option=false; // Old version depricated part
$content=(!empty($_GET[$name]) ? trim($_GET[$name]) : (!empty($value) && !is_array($value) ? trim($value) : false));
if(is_numeric($content))
return preg_replace("@([^0-9])@Ui", "", $content);
else if(is_bool($content))
return ($content?true:false);
else if(is_float($content))
return preg_replace("@([^0-9\,\.\+\-])@Ui", "", $content);
else if(is_string($content))
{
if(filter_var ($content, FILTER_VALIDATE_URL))
return $content;
else if(filter_var ($content, FILTER_VALIDATE_EMAIL))
return $content;
else if(filter_var ($content, FILTER_VALIDATE_IP))
return $content;
else if(filter_var ($content, FILTER_VALIDATE_FLOAT))
return $content;
else
return preg_replace("@([^a-zA-Z0-9\+\-\_\*\@\$\!\;\.\?\#\:\=\%\/\ ]+)@Ui", "", $content);
}
else false;
}
/*
DEFAULT: $_GET['page'];
SMART: GET('page'); // return value or false if is null or bad input
*/
?>
I hope this is helpful. Cheers ;)
Alberto Lepe dev at alepe dot com ¶
8 years ago
This Function will help you to manage your GET parameters to facilitate coding and prevent duplication. This is a basic version but it can be easily extended.
<?php
// Author: Alberto Lepe (www.alepe.com)
/* Process $_GET to preserve user custom parameters
* the arguments is a list of URL parameters that should be removed/changed from URL
* for example:
*
* URL = "index.php?s=1&fi=2&m=4&p=3
*
* if called: fixGet("s"); the result has to be: ?fi=2&m=4&p=3
* if called: fixGet("s&m"); the result has to be: ?fi=2&p=3
* if called: fixGet("s=4"); the result has to be: ?s=4&fi=2&m=4&p=3
* if called: fixGet("s=2&m"); the result has to be: ?s=2&fi=2&p=3
* if called: fixGet("s=&m=3"); the result has to be: ?s=&fi=2&m=3&p=3
* if called: fixGet("s=2&m="); the result has to be: ?s=2&fi=2&m=&p=3
* Special: when it ends with a =":" its to leave it open at the end
* (just first occurrence) to facilitate concatenation:
* if called: fixGet("s=2&m:"); the result has to be: ?s=2&fi=2&p=3&m
* if called: fixGet("s=2&m:="); the result has to be: ?s=2&fi=2&p=3&m=
*
* Usage with HTML (using the URL example above and $id = 99):
*
* <a href="index.php<?php echo fixGet('m=2&s&fi:=').$id ?>" >Link</a>
* Explanation: change "m" to 2, delete "s" and "fi" gets the $id value. ("p" is kept as it is not specified)
* will output: <a href='index.php?m=2&p=3&fi=99'>Link</a>
*/
public function fixGet($args) {
if(count($_GET) > 0) {
if(!empty($args)) {
$lastkey = "";
$pairs = explode("&",$args);
foreach($pairs as $pair) {
if(strpos($pair,":") !== false) {
list($key,$value) = explode(":",$pair);
unset($_GET[$key]);
$lastkey = "&$key$value";
} elseif(strpos($pair,"=") === false)
unset($_GET[$pair]);
else {
list($key, $value) = explode("=",$pair);
$_GET[$key] = $value;
}
}
}
return "?".((count($_GET) > 0)?http_build_query($_GET).$lastkey:"");
}
?>
To test, copy+paste the following code into testFixGet.php
<?php
/*
* Unit Test for fixGet()
*/
$cases = array (
0 => array("s" => 1, "fi" => 2, "m" => 4, "p" => 3),
1 => array("s" => "", "fi" => "", "m" => 4, "p" => 3),
);
$test[0] = array(
"s" => "fi=2&m=4&p=3",
"s&m" => "fi=2&p=3",
"s=4" => "s=4&fi=2&m=4&p=3",
"s=2&m" => "s=2&fi=2&p=3",
"s=&m=3" => "s=&fi=2&m=3&p=3",
"s=2&m=" => "s=2&fi=2&m=&p=3",
"s=2&m:=" => "s=2&fi=2&p=3&m=",
"z=9" => "s=1&fi=2&m=4&p=3&z=9",
"z:" => "s=1&fi=2&m=4&p=3&z",
"s:&m=3" => "fi=2&m=3&p=3&s",
"s&m=3" => "fi=2&m=3&p=3",
);
$test[1] = array(
"s" => "fi=&m=4&p=3",
"s&m" => "fi=&p=3",
"s=4" => "s=4&fi=&m=4&p=3",
"s=2&m" => "s=2&fi=&p=3",
"s=&m=3" => "s=&fi=&m=3&p=3",
"s=2&m=" => "s=2&fi=&m=&p=3",
"s=2&m:=" => "s=2&fi=&p=3&m=",
"z=9" => "s=&fi=&m=4&p=3&z=9",
"z:" => "s=&fi=&m=4&p=3&z",
);
foreach($cases as $x => $value) {
echo "<hr> CASE: $x <hr>\n";
foreach($test[$x] as $arg => $expected) {
$_GET = $cases[$x];
$res = myForm::fixGet($arg);
echo (($res === "?".$expected)?"OK":"NG ($res)")." [$arg]<br>\n";
}
}
?>
robotreply at gmail dot com ¶
8 years ago
Parsing of GET/POST drops duplicate variables unless those variables have "[]" (PHP bugs #10502, #15498 and #16195). Adding "[]" makes a mess of your javascript code, so here is a small workaround to it.
This function basically scans your raw POST and GET input and tries to fix the same. This function must be called near the top of your script. Optimizations are welcome.
<?php
function php_fix_raw_query() {
$post = '';
// Try globals array
if (!$post && isset($_GLOBALS) && isset($_GLOBALS["HTTP_RAW_POST_DATA"]))
$post = $_GLOBALS["HTTP_RAW_POST_DATA"];
// Try globals variable
if (!$post && isset($HTTP_RAW_POST_DATA))
$post = $HTTP_RAW_POST_DATA;
// Try stream
if (!$post) {
if (!function_exists('file_get_contents')) {
$fp = fopen("php://input", "r");
if ($fp) {
$post = '';
while (!feof($fp))
$post = fread($fp, 1024);
fclose($fp);
}
} else {
$post = "" . file_get_contents("php://input");
}
}
$raw = !empty($_SERVER['QUERY_STRING']) ? sprintf('%s&%s', $_SERVER['QUERY_STRING'], $post) : $post;
$arr = array();
$pairs = explode('&', $raw);
foreach ($pairs as $i) {
if (!empty($i)) {
list($name, $value) = explode('=', $i, 2);
if (isset($arr[$name]) ) {
if (is_array($arr[$name]) ) {
$arr[$name][] = $value;
} else {
$arr[$name] = array($arr[$name], $value);
}
} else {
$arr[$name] = $value;
}
}
}
foreach ( $_POST as $key => $value ) {
if (is_array($arr[$key]) ) {
$_POST[$key] = $arr[$name];
$_REQUEST[$key] = $arr[$name];
}
}
foreach ( $_GET as $key => $value ) {
if (is_array($arr[$key]) ) {
$_GET[$key] = $arr[$name];
$_REQUEST[$key] = $arr[$name];
}
}
# optionally return result array
return $arr;
}
?>
Daniel M ¶
7 years ago
If you need to find out whether any GET variables have been specified, you can use the empty() function.
<?php
if(empty($_GET))
echo "No GET variables";
else
print_r($_GET);
?>
empty() - http://php.net/manual/en/function.empty.php
print_r() - http://php.net/manual/en/function.print-r.php
Maarten Schroeven ¶
6 years ago
You can use this function to remove any $_GET variables out of your URL, it takes an array off strings(the names keys of the $_GET you wish to remove) and returns the url with the ones specified removed
<?php
function getUrlWithout($getNames){
$url = "http" . ((!empty($_SERVER['HTTPS'])) ? "s" : "") . "://".$_SERVER['SERVER_NAME'].$_SERVER['REQUEST_URI'];
$questionMarkExp = explode("?", $url);
$urlArray = explode("&", $questionMarkExp[1]);
$retUrl=$questionMarkExp[0];
$retGet="";
$found=array();
foreach($getNames as $id => $name){
foreach ($urlArray as $key=>$value){
if(isset($_GET[$name]) && $value==$name."=".$_GET[$name])
unset($urlArray[$key]);
}
}
$urlArray = array_values($urlArray);
foreach ($urlArray as $key => $value){
if($key<sizeof($urlArray) && $retGet!=="")
$retGet.="&";
$retGet.=$value;
}
return $retUrl."?".$retGet;
}
?>
Example
current url is http://www.example.net/index.php?getVar1=Something&getVar2=10&getVar3=ok
<?php
echo getUrlWithout(array("getVar1","getVar3"));
//result will be "http://www.example.net/index.php?getVar2=10"
?>
zgold ¶
6 years ago
I don't directly use $_GET due to security concerns, instead I create a new array called $_CLEAN which contains cleaned superglobal variables.
<?php
function clean($elem)
{
if(!is_array($elem))
$elem = htmlentities($elem,ENT_QUOTES,"UTF-8");
else
foreach ($elem as $key => $value)
$elem[$key] = $this->clean($value);
return $elem;
}
$_CLEAN['GET'] = clean($_GET);
?>
I also do this for $_POST, as followed:
<?php $_CLEAN['POST'] = clean($_POST); ?>
dirk dot lze at gmail dot com ¶
2 years ago
Make $_GET and $_POST more like in Perl.
This function also disable magic_quotes.
Will be better to handle.
function param($name){
if(is_string($name)){
if((bool) get_magic_quotes_gpc()){
set_magic_quotes_runtime(0);
$param = isset($_POST[$name]) ? stripslashes($_POST[$name]) : false;
$param = isset($_GET[$name]) ? stripslashes($_GET[$name]) : $param;
}else{
$param = isset($_POST[$name]) ? $_POST[$name] : false;
$param = isset($_GET[$name]) ? $_GET[$name] : $param;
}
return $param;
}else{
return $name;
}
}
if(param('foo')){
echo "bar";
}
PHP Notes ¶
1 year ago
I like to use the following as a method to make sure data is not provided as an array before I try and use it, resulting in "Array" warning.
if(!in_array(false, array_map("is_string", $_POST)))
{
All data has been submitted as string.
}
Naturally, this is only applicable if all data is supposed to be a string, but it's far easier and cleaner than using is_string on up to 20 elements
Z80user ¶
5 years ago
in MySQLi
I need write
-. $_GET[actor]
instead of
-. $_GET["actor"]
or
-. $_GET['actor']
NOTE: IIS 7.5 (On Windows Server 2008 R2 Datacenter) with PHP Version 5.4.12 and mysqlnd 5.0.10
Version of MySQL 5.6.10
This code show a Movies with an actor ID_Actor
E.G. URL "http://127.0.0.1/test2.php?actor=14"
<?php
// CONNECT TO THE DATABASE
$DB_HOST = '';
$DB_USER = '';
$DB_PASS = '';
$DB_NAME = '';
$mysqli = new mysqli($DB_HOST, $DB_USER, $DB_PASS, $DB_NAME);
if (mysqli_connect_errno()) {
printf("Connect failed: %s\n", mysqli_connect_error());
exit();
}
// A QUICK QUERY ON A FAKE USER TABLE
$query = "SELECT DISTINCT Title FROM movie WHERE ID_movie IN ( SELECT DISTINCT ID_Movie FROM actor_scene WHERE ID_actor=$_GET[actor]) ";
$result = $mysqli->query($query) or die($mysqli->error.__LINE__);
// GOING THROUGH THE DATA
if($result->num_rows > 0) {
while($row = $result->fetch_assoc()) {
echo stripslashes($row['Title'])."<br>";
echo " ";
}
}
else {
echo 'NO RESULTS';
}
// CLOSE CONNECTION
mysqli_close($mysqli);
?>
slavik0329 ¶
9 years ago
the addget function below actually has more use when you dont use the recursive merge as such:
<?php
function AddGet($ArrayOrString){
if(is_array($ArrayOrString))
return http_build_query(array_merge($GLOBALS['_GET'], $ArrayOrString));
parse_str($ArrayOrString, $output);
return http_build_query(array_merge($GLOBALS['_GET'], $output));
}
?>
In this case, if the key is added again with a different value it will be replaced with the new value.
addget("change=true"); // ?change=true
addget("change=false"); // ?change=false
