Understanding URL Parameters
URLs often contain data passed to a web server as parameters. This is commonly used to send information for search queries, form submissions, or to dynamically tailor web page content. In PHP, these parameters are accessible through the $_GET superglobal array.
What are URL Parameters?
URL parameters are key-value pairs appended to a URL after a question mark (?). Multiple parameters are separated by ampersands (&).
For example, in the URL http://example.com/page.php?name=John&age=30, name and age are the parameter keys, and John and 30 are their respective values.
Accessing Parameters with $_GET
PHP provides the $_GET superglobal array to easily access these parameters. $_GET behaves like a normal associative array where the parameter keys are strings.
Here’s how you can retrieve a parameter’s value:
<?php
if (isset($_GET['name'])) {
$name = $_GET['name'];
echo "Hello, " . $name . "!";
} else {
echo "No name provided.";
}
?>
In this example, we check if the name parameter exists in the URL using isset(). If it does, we retrieve its value and display a greeting. If not, we display a default message.
Important: Always check if a parameter exists before attempting to access it. This prevents PHP from generating a "Notice: Undefined index" error when the parameter is missing.
Using filter_input for Security
While $_GET is convenient, it’s crucial to sanitize user input to prevent security vulnerabilities like Cross-Site Scripting (XSS). The filter_input() function provides a secure way to retrieve and sanitize input from various sources, including $_GET.
Here’s how to use filter_input():
<?php
$name = filter_input(INPUT_GET, 'name', FILTER_SANITIZE_STRING);
if ($name !== null) {
echo "Hello, " . $name . "!";
} else {
echo "No name provided.";
}
?>
In this example, filter_input() retrieves the name parameter from the INPUT_GET source and applies the FILTER_SANITIZE_STRING filter. This filter removes or encodes potentially harmful characters from the input string. The function returns null if the parameter is not found or if the filtering fails.
Available Filters:
PHP offers a variety of filters for different data types and purposes. Some common filters include:
FILTER_SANITIZE_STRING: Sanitizes a string by removing or encoding potentially harmful characters.FILTER_SANITIZE_INT: Sanitizes an integer.FILTER_VALIDATE_INT: Validates an integer.FILTER_SANITIZE_URL: Sanitizes a URL.FILTER_VALIDATE_URL: Validates a URL.
Refer to the PHP documentation for a complete list of available filters: https://www.php.net/manual/en/filter.filters.php
Using the Null Coalescing Operator (PHP 7.0+)
PHP 7.0 introduced the null coalescing operator (??), which provides a concise way to provide a default value if a parameter is missing.
<?php
$name = $_GET['name'] ?? 'Guest';
echo "Hello, " . $name . "!";
?>
This code achieves the same result as the if (isset($_GET['name'])) example, but in a more compact form. If $_GET['name'] is set and not null, its value is assigned to $name. Otherwise, the default value 'Guest' is assigned.
Alternative: $_REQUEST
PHP also provides the $_REQUEST superglobal array. $_REQUEST automatically populates with data from $_GET, $_POST, and $_COOKIE. While convenient, relying on $_REQUEST can make your code less predictable and harder to debug. It is generally best practice to explicitly use $_GET or $_POST to clearly indicate the source of the data.