Hypertext Transfer Protocol (HTTP) is the language of the web. It is a request-response protocol, i.e., a web client such as a browser (e.g., Google Chrome, Firefox, Safari, etc.) asks for a page from a web server, which sends back the page as a response.
If you type http://www.facebook.com
into your browser, this is what the raw information sent as a request may look like:
GET / HTTP/1.1
Host: facebook.com
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Accept: */*
Referer:
It is made up of a request line (GET / HTTP/1.1), a number of header field lines named as <key>: value
(e.g. Accept: */*
), a single empty line and an optional body for any data payload (for example, query parameters or post data).
When the HTTP Request reaches a web server that is running PHP, it is then translated into some global variables for the PHP environment. Let us now turn our attention to these variables.
$_REQUEST
is a superglobal variable. It is available in all scopes everywhere in a script as an associative array of the contents of $_GET
, $_POST
and $_COOKIE
variables. These variables in $_REQUEST
are made available through the GET, POST, and COOKIE input mechanisms. Potentially, they could be modified by a user and therefore cannot be trusted. The inclusion and order of variables listed in this array is defined by the PHP variables_order
configuration directive in the php.ini
file.
The variables_order
directive sets the order in which the following variables are parsed - EGPCS (Environment, Get, Post, Cookie, and Server). It is a string made of the first letter of the variables. If any are left out, there will be no superglobal variable for the letter available. For example, if variables_order
is set to "SP", PHP will create the superglobals $_SERVER
and $_POST
, but $_ENV
, $_GET
, and $_COOKIE
will not be created at all. If the variables_order
is set to ""
, it effectively means no superglobals are set.
$_REQUEST
holds any global data that is registered with the request_order
directive in the php.ini
file. The order of the data is similar to that of variables_order
directive. If request_order
is empty, PHP will use the value of variables_order
.
If the deprecated register_globals
directive is on, then variables_order
also configures the order the ENV, GET, POST, COOKIE and SERVER variables are populated in global scope. For example, if variables_order
is set to "EGPCS", register_globals
is enabled as well as both $_GET['action']
and $_POST['action']
are set, then $action
will contain the value of $_POST['action']
as P comes after G in our example directive value.
A final observation in both the CGI and FastCGI SAPIs - $_SERVER
holds values from both the Environment and Server. Therefore, in such setups, S is always equivalent to ES regardless of the placement of E elsewhere in this directive. In fact, the E is effectively redundant in these situations.
From the preceding, we can observe many moving parts between a request and what eventually gets processed by the web server. The HttpFoundation component from the Symfony project crystallizes the HTTP specification into a uniform object-oriented layer with two prominent classes - Request
and Response
. The Request
object sanitizes the incoming request and encapsulates it in a single object representing the HTTP request message. It also provides built-in methods for doing certain things, e.g. isSecure()
, and provides session-management through a Session
object.
HTTP is a stateless protocol. In order to deliver a simple web page, there may be hundreds of HTTP requests. Different web technologies have different approaches to dealing with this situation, e.g. Node.js and Ruby. Drupal 8 is built on a PHP solution provided by the HttpFoundation component from Symfony.