Rules for naming POST/GET variables?

Question

Are there any rules one needs to follow when naming POST variables in a form or GET variables in a query string?

Thanks-

Answer 1

TO answer the question literally, there really are no "rules" I'm aware of for naming $_POST and $_GET array keys in php. It's an array like any other. Take a look at this working example on Codepad:

<?php
$_POST['♠♣♥♦'] = 'value1';
$_POST['\'\'\'\''] = 'value2';
$_POST['<?php echo "Hello World"; ?>'] = 'value3';
$_POST['     '] = 'value4';
$_POST[''] = 'value5';
$_POST['@#$%^&*()'] = 'value6';

print_r($_POST);

In the case of form input names, they just have to be legal HTML "name" attributes (see below). However, in practice, a lot of unusual characters will actually work. Keep in mind that this doesn't mean it's a good idea. Different servers (and probably different browsers) will act differently with some characters like spaces for instance.

As Tadeck has noted, duplicate keys will be overwritten by the last one when reading, but using brackets[] will solve this on the client side by turning the variable into an array.

As far as naming conventions and best practices, there isn't a lot of room. It's suggested that you stick to A-Z a-z 0-9, dashes, and underscores. Although Ajay has suggested using database column names for form input names as a matter of convenience, many people will tell you that it is bad practice to expose information about your database to the public. I think invertedlambda probably has the closest answer here to the question, and Tadeck has the closest answer as far as best practices.

Regarding HTML "name" attributes: http://www.w3.org/TR/html4/types.html#h-6.2

ID and NAME tokens must begin with a letter ([A-Za-z]) and may be followed by any number of letters, digits ([0-9]), hyphens ("-"), underscores ("_"), colons (":"), and periods (".").

Maybe someone can enlighten me as to whether or not the above document is a rule or a recommendation, I'm by no means an expert on this subject. I seem to have no issues breaking some of these rules in practice. I also have no problem validating this example document as XHTML strict:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title></title>
<meta http-equiv="Content-Type" content="application/xhtml+xml; charset=UTF-8" />
</head>
<body>
<div><form action="" method="post">
<div>
<input name="♠♣♥♦" />
<input name="''''" />
<input name=")(&amp;#$)%#$%" />
</div>
</form>
</div>
</body>
</html>

Paste it into the validator, it will pass.

---

One more best practice to add: Make your form input names or get/post keys meaningful, as with every other naming convention of course. Don't use input1 and $_GET['param']. Use names that describe the meaning, like last_name or $_GET['sort_order'].

Answer 2

I believe the best solution is to:

• use lower cases,
• NOT use dots, any other special characters (undescores are acceptable),
• understand the way they are passed during request (eg. name="test[][]" will create value within array that is within other array) and use it properly,
• avoid creating conflicts (eg. ?test=1&test=2 will create problems as only one of the values will be passed - better use ?test[]=1&test[]=2 so the array with two values will be passed),
• be consistent,

Furthermore, browse through different solutions that you may find on GitHub.com so you will be using practices that are good, tested and used by many people.