Is using superglobals directly good or bad in PHP?

by

I do like to wrap $_SESSION, $_POST, $_GET, and $_COOKIE into OOP structures.

I use this method to centralize code that handles sanitation and validation, all of the necessary isset () checks, nonces, setcookie parameters, etc. It also allows client code to be more readable (and gives me the illusion that it’s more maintainable).

It may be difficult to enforce use of this kind of structure, especially if there are multiple coders. With $_GET, $_POST, and $_COOKIE (I believe), your initialization code can copy the data, then destroy the superglobal. Maybe a clever destructor could make this possible with $_SESSION (wipe $_SESSION on load, write it back in the destructor), though I haven’t tried.

I don’t usually use any of these enforcement techniques, though. After getting used to it, seeing $_SESSION in code outside the session class just looks strange, and I mostly work solo.

EDIT
Here’s some sample client code, in case it helps somebody. I’m sure looking at any of the major frameworks would give you better ideas…

$post = Post::load ();  
$post->numeric ('member_age');  
$post->email ('member_email');
$post->match ('/regex/','member_field');
$post->required ('member_first_name','member_email');
$post->inSet ('member_status',array('unemployed','retired','part-time','full-time'));
$post->money ('member_salary');
$post->register ('member_last_name'); // no specific requirements, but we want access
if ($post->isValid())
{
  // do good stuff
  $firstName = $post->member_first_name;
}
else
{
  // do error stuff
}

Post and its friends all derive from a base class that implements the core validation code, adding their own specific functionality like form tokens, session cookie configuration, whatever.

Internally, the class holds a collection of valid data that’s extracted from $_POST as the validation methods are called, then returns them as properties using a magic __get method. Failed fields can’t be accessed this way. My validation methods (except required) don’t fail on empty fields, and many of them use func_get_args to allow them to operate on multiple fields at once. Some of the methods (like money) automatically translate the data into custom value types.

In the error case, I have a way to transform the data into a format that can be saved in the session and used to pre-populate the form and highlight errors after redirecting to the original form.

One way to improve on this would be to store the validation info in a Form class that’s used to render the form and power client-side validation, as well as cleaning the data after submission.

More Related Contents:

  1. Are global variables in PHP considered bad practice? If so, why?
  2. How to declare a global variable in php?
  3. PHP variables in anonymous functions
  4. Warning “Do not Access Superglobal $_POST Array Directly” on Netbeans 7.4 for PHP
  5. Can’t access global variable inside function
  6. PHP session side-effect warning with global variables as a source of data
  7. CodeIgniter – best place to declare global variable
  8. What’s the difference between $_POST, $_GET, and $_REQUEST?
  9. Get variables from the outside, inside a function in PHP
  10. PHP pass variable to include
  11. The advantage / disadvantage between global variables and function parameters in PHP?
  12. Modify a globally scoped variable inside of an anonymous function
  13. Declaring a global variable inside a function
  14. How to access a variable across two files
  15. (PHP) Warning: file_get_contents() [function.file-get-contents]: couldn’t resolve host name
  16. How to change mysql to mysqli?
  17. PHP: Replace umlauts with closest 7-bit ASCII equivalent in an UTF-8 string
  18. Fatal error: Class ‘SoapClient’ not found
  19. Which is faster in PHP, $array[] = $value or array_push($array, $value)?
  20. Upload Multiple Files with PHP and JQuery
  21. mcrypt_encrypt to openssl_encrypt, and OPENSSL_ZERO_PADDING problems
  22. When using Gmail for SMTP, can you set a different “from” address?
  23. Combine PHP prepared statments with LIKE
  24. Explode string on commas and trim potential spaces from each value
  25. Nullable return types in PHP7
  26. Setting up PHPMailer with Office365 SMTP
  27. Convert Lat/Longs to X/Y Co-ordinates
  28. Difference between float and double in php?
  29. Access-Control-Allow-Origin on chrome extension
  30. What is the PDO equivalent of function mysql_real_escape_string?

Leave a Comment