Aim
To handle a personal-information form in PHP and retrieve the submitted data using the $_GET, $_POST and $_REQUEST superglobals.
Theory
When a form is submitted, PHP parcels the field values into superglobal arrays chosen by the form's method attribute: method="get" fills $_GET, method="post" fills $_POST. Superglobals are ordinary associative arrays (field name → value) that are available in every scope without the global keyword.
GET vs POST is the key design decision. GET appends the data to the URL as a query string (?name=Rohit&city=Delhi): visible in the address bar, history and server logs, bookmarkable and shareable, but length-limited (roughly 2 KB in practice) — right for idempotent reads such as searches and filters. POST carries the data in the HTTP request body: invisible in the URL, effectively unlimited in size, able to carry file uploads, and the browser warns before re-submitting — right for personal data, passwords and anything that changes state.
$_REQUEST is a merged view of GET + POST (and, depending on the request_order ini setting, cookies). It is convenient but risky: the reader cannot tell which channel a value came from, and one source can silently shadow another that uses the same key — so explicit $_GET/$_POST is best practice. And because every form value is user-controlled, anything echoed back into HTML must pass through htmlspecialchars() to neutralise XSS.
Requirements
- XAMPP/WAMP with Apache and PHP 8.x, or the PHP CLI / an online PHP compiler
- Code editor (VS Code); browser or terminal
Procedure
- Start Apache from the XAMPP Control Panel.
- Save the snippet as
p14_form_handling.phpinC:\xampp\htdocs\wbplab. - Open
http://localhost/wbplab/p14_form_handling.php, or runphp p14_form_handling.php— the script pre-fills the three superglobals itself, so the retrieval logic is observable without a browser form. - To try it live, delete the three simulated assignments and submit a small personal-information form to the script, e.g.
<form method="post" action="p14_form_handling.php">withname,city,emailandageinputs; GET fields can also be supplied straight in the URL:?name=Rohit&city=Delhi.
Explanation of the Code
- The first three lines simulate a submission:
$_GETreceivesname/city,$_POSTreceivesemail/age, and$_REQUESTis rebuilt witharray_merge($_GET, $_POST)— mirroring what PHP itself does according torequest_order. echo "Using \$_GET:\n"— the backslash stops PHP from interpolating the array inside the double-quoted string, so the label prints literally.- The
$_GETblock reads$_GET["name"]and$_GET["city"]by key; the$_POSTblock does the same foremailandage— explicit, source-aware retrieval. - The
foreach ($_REQUEST as $key => $value)loop walks the merged array and prints every pair — demonstrating that$_REQUESTholds both sources with no indication of origin.
Expected Output
Three labelled blocks. Using $_GET: shows Name: Rohit Kumar and City: Delhi; Using $_POST: shows Email: rohit@example.com and Age: 21 (the extra spaces come from the aligned label in the echo); Using $_REQUEST: lists all four merged pairs — name: Rohit Kumar, city: Delhi, email: rohit@example.com, age: 21 — proving it contains the union of the other two.
🎯 Viva Questions
- State three practical differences between GET and POST. GET data rides in the URL (visible, bookmarkable, logged) and is length-limited; POST data travels in the request body, has no practical size limit and can carry file uploads.
- When is GET the correct method? For idempotent reads — searches, filters, pagination — where a bookmarkable, shareable URL is a feature; never for passwords or state-changing actions.
- Why is relying on
$_REQUESTdiscouraged? It merges GET, POST and possibly cookies, so a value's origin is ambiguous and one source can shadow another — a security and debugging hazard. - What decides which superglobal a form field lands in? The form's
methodattribute:get→$_GET,post→$_POST; both also appear in$_REQUEST. - Why does the snippet write
\$_GETinside the echo strings? The backslash escapes the$so PHP prints the superglobal's name instead of trying to interpolate its value. - How should form data be redisplayed safely? Through
htmlspecialchars(), which converts<,>,&and quotes into entities so injected markup cannot execute (XSS defence).
CO Mapping
CO1, CO2