Is it bad practice to write to $_POST?

If this is file_1.php

<?php

  $_POST["test_message"] = "Hello, world";    

  header("Location: http://localhost/file_2.php");
?>

and this is file_2.php

<html>
<head>
</head>
<body>

<?php

  if (!(isset($_POST["test_message"])))
    echo "Test message is not set";
  else
    echo $_POST["test_message"];
?>

</body>
</html>

the output is Test message is not set

Which makes me wonder if one can even write to $_POST and, having wondered that, I wonder if it is bad practice to do so. Should I just let forms with submit buttons and method=post write to $_POST for me, or is it legitimate to write to $_POST to pass data between files?

You want to use $_SESSION instead.

$_POST is for information that has been POSTed to the current page and doesn't maintain state between page loads, it will only be populated if you actually post something to the second file when redirecting. If you were to include the second file, rather than redirecting via a header, then what you've done would work since the $_POST variable would still be set.

$_SESSION will maintain state between pages, so will accomplish what you want when redirecting.

To use $_SESSION properly, you'll need to call session_start(); first to begin the session. There's more info in the PHP manual.

$_POST["test_message"] is blank in file2.php because you have not actually posted anything to that script. The $_POST array is populated by POSTing form data, you could populate $_GET by appending a GET variable to your header redirect or store data in $_SESSION if you need data persistence between pages.

Look at it from the web server's perspective: it receives a request for file_1.php, runs that PHP file, and sends back the result, which happens to include a Location: header. Then some time later, it receives a separate request for file_2.php, so it loads and runs that file and sends back the result, which is an HTML page. The point is, the two files are used in completely separate HTTP requests. Each one is run in a separate environment, so for example, any changes that are made to variables in one are not reflected in the other one. The $_POST in the request for file_1.php is a separate variable from the $_POST in the request for file_2.php.

As far as your actual question: I think you can write to $_POST, but it's probably not recommended. That's not really what the variable is for.

Generally spoken $_POST is just a regular PHP array that's populated with the POST data on each request. It's therefore possible to write your own values into $_POST.

But...

1) Your code doesn't work as your header() call in file_1.php instructs the browser to issue a new request which results in a completely new (and empty) $_POST array in file_2.php. The array will be empty because you didn't post anything to file_2.php.

2) In my opinion it's indeed bad practice... Getting data from $_POST (or $_GET or $_REQUEST) indicates that you're retrieving user data which should be handled with extreme caution (filtering, sanitizing, escaping,...). Writing internal data into these arrays will mix up internal and external data leading to confusion and probable security holes.

It's absolutely fine to do that. If you look at all the big php frameworks (CI, cake, joomla etc), they all post via the index.php page thro' a controller to the final destination (usually using some helper code). Therefore, the $_POST variable is buried quite a few layers deep. Remember, the $_POST variable is ONLY valid for that transitory moment while the http request is active, so when the request is complete, all variables are reset to null.

The $_SESSION variable CAN be used if you want to persit between requests - tho it depends on your requirement and scenario.

The $_POST should only be used with forms not like this:

$_POST["test_message"] = "Hello, world";

You also need to make sure that you avoid any security risks, use functions like stripslashes and mysql_real_escape_string (when inserting data in database)

To maintain state between pages, you need to use the sessions instead.

Your example cannot work, see other's answer which explain why.

Furthermore using $_POST superglobal as a data storage is a pretty bad idea imho. Use specific variable sharing solution if you need (like database, im memory registry, session, cookie, etc)