Is it bad practice to write to $_POST?

Question

If this is file_1.php

Answer 1

Generally spoken $_POST is just a regular PHP array that's populated with the POST data on each request. It's therefore possible to write your own values into $_POST.

But...

1) Your code doesn't work as your header() call in file_1.php instructs the browser to issue a new request which results in a completely new (and empty) $_POST array in file_2.php. The array will be empty because you didn't post anything to file_2.php.

2) In my opinion it's indeed bad practice... Getting data from $_POST (or $_GET or $_REQUEST) indicates that you're retrieving user data which should be handled with extreme caution (filtering, sanitizing, escaping,...). Writing internal data into these arrays will mix up internal and external data leading to confusion and probable security holes.

Answer 2

It's absolutely fine to do that. If you look at all the big php frameworks (CI, cake, joomla etc), they all post via the index.php page thro' a controller to the final destination (usually using some helper code). Therefore, the $_POST variable is buried quite a few layers deep. Remember, the $_POST variable is ONLY valid for that transitory moment while the http request is active, so when the request is complete, all variables are reset to null.

The $_SESSION variable CAN be used if you want to persit between requests - tho it depends on your requirement and scenario.

Answer 3

Your example cannot work, see other's answer which explain why.

Furthermore using $_POST superglobal as a data storage is a pretty bad idea imho. Use specific variable sharing solution if you need (like database, im memory registry, session, cookie, etc)

Answer 4

You want to use $_SESSION instead.

$_POST is for information that has been POSTed to the current page and doesn't maintain state between page loads, it will only be populated if you actually post something to the second file when redirecting. If you were to include the second file, rather than redirecting via a header, then what you've done would work since the $_POST variable would still be set.

$_SESSION will maintain state between pages, so will accomplish what you want when redirecting.

To use $_SESSION properly, you'll need to call session_start(); first to begin the session. There's more info in the PHP manual.

Answer 5

The $_POST should only be used with forms not like this:

$_POST["test_message"] = "Hello, world";

You also need to make sure that you avoid any security risks, use functions like stripslashes and mysql_real_escape_string (when inserting data in database)

To maintain state between pages, you need to use the sessions instead.

Answer 6

Look at it from the web server's perspective: it receives a request for file_1.php, runs that PHP file, and sends back the result, which happens to include a Location: header. Then some time later, it receives a separate request for file_2.php, so it loads and runs that file and sends back the result, which is an HTML page. The point is, the two files are used in completely separate HTTP requests. Each one is run in a separate environment, so for example, any changes that are made to variables in one are not reflected in the other one. The $_POST in the request for file_1.php is a separate variable from the $_POST in the request for file_2.php.

As far as your actual question: I think you can write to $_POST, but it's probably not recommended. That's not really what the variable is for.