Clearing _POST array fully

Asked 18/10, 2012 at 11:48 Answered 23/4, 2018 at 20:44

I want clear $_POST array content fully, all examples what I see in internet, looks like this:

if (count($_POST) > 0) {
    foreach ($_POST as $k=>$v) {
        unset($_POST[$k]);
    }
}

Tell please, this variant will be not more better? (Point of view as saving resources)

if (count($_POST) > 0) {
     $_POST = array();
}

or not ?

Croak answered 18/10, 2012 at 11:48 Comment(17)

Why would you want to empty $_POST? – Tully 18/10, 2012 at 11:49

You don't even need count. $_POST = array(); and you are all set. – Prosper 18/10, 2012 at 11:49

After first time using POST data, I need clear they – Croak 18/10, 2012 at 11:50

If you need to change the values of $_POST you are doing something wrong. – Candelaria 18/10, 2012 at 11:50

you dont even require to write condtion. simple $_POST = array(); statement will do. – Acidulate 18/10, 2012 at 11:51

@Jon, @Lex: $_POST is writable which is kind of stupid, it can make sense to clear it if you are using an interface like a class to read user input. – Disembarrass 18/10, 2012 at 11:51

@WesleyMurch: Why does it make sense to clear it? – Candelaria 18/10, 2012 at 11:52

Why would you want to clear $_POST in the first place? It doesn't make any sense at all. Dont post anything to the next page than. – Glauce 18/10, 2012 at 11:52

@Jon: To make sure your interface is exclusively used. – Disembarrass 18/10, 2012 at 11:52

@Wesley: I think you shouldn't create a class that directly uses $_POST anyway, so... – Tully 18/10, 2012 at 11:54

@WesleyMurch: Doesn't sound very convincing to me. If you don't want to touch $_POST then simply don't. – Candelaria 18/10, 2012 at 11:55

There may be other motivations by the OP, but that is a realistic one that I have actually used and to be honest, was quite fond of. it's nice to be certain of things, like that POST data is XSS free or the keys are "safe" (the class may sanitize it then empty the post data, just an example). – Disembarrass 18/10, 2012 at 11:56

I clear $_POST aswell. It's a matter of encapsulation; clearing $_POST after you've used it ensures no other part of the application has access to it; otherwise a random bug anywhere can expose the potentially critical data in $_POST. – Prosper 18/10, 2012 at 11:58

Another cool trick is setting $_POST manually by parsing php://input, in case for example you don't want to deal with the silly "bracket[] field names are arrays" thing and use duplicate input keys like the rest of the non-PHP programming world is able to. In that case I would just clear POST as the first step before repopulating it. – Disembarrass 18/10, 2012 at 12:2

Don't forget that POST data can also be found in $_REQUEST – Durga 10/9, 2015 at 20:5

$_POST data is also accessible via the built-in filtering functions, like so: filter_input(INPUT_POST,'var_int',FILTER_VALIDATE_INT) Even after clearing the $_POST array, coders can still access input this way! – Augmentation 16/6, 2017 at 20:57

I ran into a situation where $_POST supposed to be empty but it is not. In DEV, $_POST is empty as expected. But in PROD, it is not. I have no idea and it will be too time consuming to figure out how $_POST got corrupted. In this case, I make sure $_POST is empty. – Lorrielorrimer 31/3, 2020 at 14:46

Yes, that is fine. $_POST is just another variable, except it has (super)global scope.

$_POST = array();

...will be quite enough. The loop is useless. It's probably best to keep it as an array rather than unset it, in case other files are attempting to read it and assuming it is an array.

Disembarrass answered 18/10, 2012 at 11:50 Comment(5)

Technically it has superglobal scope, since the global scope in PHP isn't. – Decembrist 18/10, 2012 at 11:53

Sounds like you have an unrelated issue. If you read the post data before clearing it it's already too late. – Disembarrass 30/1, 2017 at 18:47

Ah, I didn't know that and was suprised why everybody upvoted, thanks! – Keheley 30/1, 2017 at 18:48

This unsets $_POST, but you can still do this: filter_input(INPUT_POST,'password',FILTER_UNSAFE_RAW) — And things of that sort. (On my FastCGI based PHP installation, this technique returns actual results, despite first unsetting $_POST!) If this is not being done for security reasons, then I fail to understand the legitimate application. – Augmentation 16/6, 2017 at 17:42

even shorter $_POST = []; – Gromyko 21/7, 2020 at 14:30

To unset the $_POST variable, redeclare it as an empty array:

$_POST = array();

Did answered 18/10, 2012 at 11:50 Comment(3)

if you want avoid from re-insert then please use action attribute to direct form submission to other page and the using header redirect to that particular page then your re-submission in the database will fix. @Keheley – Unknown 21/2, 2019 at 17:55

@MatthewSlyman I take back my initial comment now that I understand what you mean. Yes, you can filter input and stuff, but OP did not ask how to ignore post data. could you show us an answere to prevent the dangerous filter_input, maybe? – Gromyko 21/7, 2020 at 14:36

The solutions so far don't work because the POST data is stored in the headers. A redirect solves this issue according this this post.

How to delete $_POST variable upon pressing 'Refresh' button on browser with PHP?

Manheim answered 23/4, 2018 at 20:44 Comment(0)

It may appear to be overly awkward, but you're probably better off unsetting one element at a time rather than the entire $_POST array. Here's why: If you're using object-oriented programming, you may have one class use $_POST['alpha'] and another class use $_POST['beta'], and if you unset the array after first use, it will void its use in other classes. To be safe and not shoot yourself in the foot, just drop in a little method that will unset the elements that you've just used: For example:

private function doUnset()
{
    unset($_POST['alpha']);
    unset($_POST['gamma']);
    unset($_POST['delta']);
    unset($_GET['eta']);
    unset($_GET['zeta']);
}

Just call the method and unset just those superglobal elements that have been passed to a variable or argument. Then, the other classes that may need a superglobal element can still use them.

However, you are wise to unset the superglobals as soon as they have been passed to an encapsulated object.

Woadwaxen answered 8/11, 2015 at 14:26 Comment(0)

You can use a combination of both `unset()` and initialization:

unset($_POST);
$_POST = array();

Or in a single statement:

unset($_POST) ? $_POST = array() : $_POST = array();

But what is the reason you want to do this?

Caliche answered 18/10, 2012 at 11:51 Comment(2)

@Prosper Those who are using the PHP filter functions do not use $_POST to get access to form values. Thus, clearing $_POST is just a way of clearing resources. For instance, if someone dumps more characters into a form field than what is allowed (bypassing all client side validation) and that person is using PHP filter functions, $_POST is something that the developer may want to clear. I have my sanitizer do a pre-check control string lengths, then throw and catch a RangeException if a control has more characters than allowed. One might still use $_POST to get a count of controls submitted. – Basiliabasilian 18/7, 2015 at 22:10

@AnthonyRutledge sure, the point is that in this scenario you don't need to both unset it and set it to an empty array. Simply doing the later is enough to clear it. – Prosper 19/7, 2015 at 16:2

To answer "why" someone might use it, I was tempted to use it since I had the $_POST values stored after the page refresh or while going from one page to another. My sense tells me this is not a good practice, but it works nevertheless.

Asterism answered 4/5, 2014 at 14:16 Comment(0)

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

You can use a combination of both unset() and initialization:

Recommended topics

Hot tags

You can use a combination of both `unset()` and initialization: