tags:

views:

212

answers:

8
+2  Q: 

Why NOT use POST method here?

I have a classifieds website.

In the main page (index) I have several form fields which the user may or may not fill in, in order to specify a detailed search of classifieds.

Ex:

   Category: Cars
   Price from: 3000
   Price to:   10000
   Color: Red
   Area: California

The forms' action is set to a php page:

   <form action='query_sql.php' method='post'>

In query_sql.php I fetch the variables like this:

   category=$_POST['category'];
   etc etc...

Then query MySql:

   $query="SELECT........WHERE category='$category' etc etc....
   $results = mysql_query($query);

Then I simply display the results of the query to the user by creating a table which is filled in dynamically depending on the results set.

However, according to an answer by Col. Shrapnel in my previous Q I shouldn't use POST here: http://stackoverflow.com/questions/3004754/how-to-hide-url-from-users-when-submitting-this-form

The reason I use post is simply to hide the "one-page-word-document" long URL in the browsers adress bar.

I am very confused, is it okay to use POST or not?

It is working fine both when I use GET or POST now... And it is already on a production server...

Btw, in the linked question, I wasn't referring to make URL invisible (or hide it) I just wanted it too look better (which I have accomplished with mod_rewrite).

UPDATE:

If I use GET, then how should I make the url better looking (beautiful)? Check this previous Q out:

http://stackoverflow.com/questions/3000524/how-to-make-this-very-long-url-appear-short

+11  A: 
  • Search engines won't index the results
  • People can't bookmark searches
  • People can't send a link to their searches to their friends
  • People can't link to results page from their own webpages
  • Some people can't go Back to the page without receiving scary "Do you want to resubmit the form?"

If I use GET, then how should I make the url better looking (beautiful)?

You shouldn't. It doesn't matter. The number of users who would notice the URL the form submitted to is tiny, and the number who care is even smaller.

David Dorward  2010-06-09 11:54:10
check my update pls
Camran  2010-06-09 11:56:21
@Camran re your update, I would say that's a different question.
Pekka  2010-06-09 12:00:43
Camran  2010-06-09 12:01:27
if you want to beautify the url after the question mark you need to use Javascript to create a beautiful url from your form field values. But I would advise against this, because search engines don't understand javascript. And it should be no problem to use an *ugly* url for search results (almost every website does it like this). To shorten your url you can shorten your field names if possible
jigfox  2010-06-09 12:02:10
Who says search engines ignore URLs that are long and ugly?
Pekka  2010-06-09 12:03:39
If you have a lot of options then it is entirely possible that search engines won't index the content … but that's one consideration out of five.
David Dorward  2010-06-09 12:04:04
What if I have a sitemap which is updated regularly, and where I have the rewritten URLS to the classifieds in? Would search engines go through this sitemap regularly and index the classifieds that way then?
Camran  2010-06-09 12:06:37
who says search engines fill search forms?
Col. Shrapnel  2010-06-09 12:14:02
People fill search forms, then copy/paste URIs into webpages, which search engines index.
David Dorward  2010-06-09 12:17:32
David, please answer if a Sitemap would be of choice here? I believe that would solve my prob, but need confirmation on this. What do you think?
Camran  2010-06-09 12:20:11
@Camran - re. sitemap - yes, it would. You just need a page which links to every possible search page that you want indexed.
sri  2010-06-09 12:23:33
@David got an example? and what are these people in the context of search engines at all?
Col. Shrapnel  2010-06-09 12:28:14
An example of what? People copy/pasting URLs into webpages? Such as http://www.google.co.uk/search?q=people%20pasting%20urls%20into%20web%20pages ? Search engines don't submit forms, they do follow links. A URL is a URL, it doesn't matter if it is used in a link or generated by a form, it still goes to the same place.
David Dorward  2010-06-09 14:53:20
+1  A: 

The idea behind using GET over POST is that using GET, you have a search URL that you can modify in the address bar, bookmark, and pass on.

Technically, both methods are fine and basically interchangeable if you have no need to address these aspects, and are passing data from one page to the next.

One big difference between GET and POST is that GET parameters shouldn't exceed 1-2 kilobytes in size. The size limit for POST request is usually in the dozens of megabytes.

Pekka  2010-06-09 11:55:25
There's one big difference: GET requests are supposed to be idempotent (per the standard). Not that this is always respected... (e.g. "click the link to validate your e-mail")
Artefacto  2010-06-09 11:58:16
@Arte interesting, didn't know that! And yes, it's often not respected...
Pekka  2010-06-09 12:00:20
-1 for suggesting they are interchangeable - RTFM Pekka!
symcbean  2010-06-09 12:00:24
@symcbean you have a point. I clarified what I mean.
Pekka  2010-06-09 12:02:18
A: 

First of all remember to sanitize your input using mysql_real_escape_string. GET vs POST is practically the same except that:

  • With POST you can't bookmark the page
  • With GET you can't post files and there's a length limit on the query string

I use POST only when I know that the page will modify something server side (i.e. DB update) and then do a redirect to another page.

Keeper  2010-06-09 11:57:46
There's a limit on GET request as well: http://stackoverflow.com/questions/266322/http-uri-get-limit
Alsciende  2010-06-09 13:27:37
+1  A: 

You probably want to perform some vetting on the user inputs to mitigate against SQL injection attacks as it looks like the input is directly manipulating the SQL statement

danrichardson  2010-06-09 11:58:45
A: 

David Dorward's answer addresses most of the points - however a big one he misses out is the issue of cacheability.

POST and GET have very specific semantics - POST should mean the request changes the data on the system, while GET does NOT. Therefore the response to a POST should not be cached. But the response to a GET may be cached (depending on the headers sent).

NB content is not just cached on the browser.

C.

symcbean  2010-06-09 11:59:21
POST requests can be cached if suitable HTTP response headers are sent.
David Dorward  2010-06-09 12:05:35
+1  A: 

GET should be used for requests which are either read-only or don't have any side-effects on the data (i.e. they should be idempotent, as mentioned in the HTTP documentation). You should be able to submit a GET request as many times as you want without it affecting what results will be returned. (You may not always get the same result though, since something else may have changed in the meantime of course, but the GET request shouldn't change the data itself).

So searching comes under this category, since you shouldn't be changing any data on your system which will affect the output when you search, you're just giving data to the user based on some parameter they're giving you.

Of course some data you will always want to be updated, such as statistics (as mentioned in the comments), and this is fine with GET, as it won't affect the response, it's just to keep a record of all the requests made, etc.

POST should be used when any destructive action is performed (by destructive, I mean when data is changed.. not just delete). So add, update, delete, etc.

This is why a browser will usually prompt you if you want to resubmit a POST request, but not for GET. It's because POST is meant to be used when data is going to be changed.

Also, some browsers can pre-fetch the pages from links on your page (to try and give the illusion of speed when a link is eventually clicked). If the GET action does something destructive (such as delete a record), then this could be inadvertently triggered simply by visiting the page the link is on for example.

If you're worried about your URLs looking "messy", you can use something like mod_rewrite to make the URLs more human friendly. So "http://yoursite.com/search/cars/red" could map to "http://yoursite.com/search.php?category=cars&amp;color=red" for example.

Rich Adams  2010-06-09 12:01:08
The likelihood is that search WILL change data on your system. Stastistics are important. Also, just because an operation doesn't change a system isn't cause to call it idempotent. Idempotents get the same result for the same input, search might not despite not having changed the system. OTOH I agree that search should use GET
Matt Ellen  2010-06-09 12:18:26
Idempotence doesn't necessarily mean that the same input = same result. It means that if you give the same input multiple times, it won't have any side effects on the result (but the result could be different if something else has updated the data). So statistics are fine since they won't affect the output and you'll want to collect them for every request anyway. I have updated my answer to try and make this a bit clearer, although I fear I've just made it more confusing :)
Rich Adams  2010-06-09 12:49:51
A: 

It sounds like you're concerned with not-friendly URLs, i.e., you want to have friendly URLs throughout your site/application. If so, you can continue to use POST in your scenario, but do a redirect after POST. By doing a redirect-after-post, the redirected URL which renders the results of your search can be made friendly and short, while you can use POST to pass more parameters in the request to the server and avoid the long query string associated with the GET URL.

To learn more redirect-after-post, check out this article http://www.theserverside.com/news/1365146/Redirect-After-Post

Khnle  2010-06-09 12:05:32
A: 

Did you consider:

Submitting the form via GET (or POST), then server-side read the contents of the form (from the url or post data), form a nice url, then 301-redirect to that url.

That way you have complete control of the URL (e.g. its not up to the browser/form how the url looks), and you get all the benefits of using GET, e.g. bookmarkable, linkable, back-button friendly, etc.

Alex Black  2010-06-09 12:25:48

related questions

Autosizing Textarea
Regular expression for parsing links from a webpage?
What are good tools for creating compiled HTML help files (.chm)?
Looking for WYSIWYG HTML editor
Any reason not to start using the HTML 5 doctype?
HTML comments break down
HTML Comments Markup
Setting a div's height in HTML with CSS
Wrapping lists into columns
Is a "Confirm Email" input good practice when user changes email address?
<XMP> Tag
HTML version choice
Options for HTML scraping?
How do you disable browser Autocomplete on web form field / input tag?
How do I make a checkbox toggle from clicking on the text label as well?
Html CSS Editor
Wordpress theme development offline tools
How do I give my web sites an icon for iPhone?
In HTML, how to word-break on a dash?
Detecting font in JavaScript
How do you test layout design across multiple browsers/OSs?
How do I print an HTML document from a web service?
Multiple submit buttons on a HTML form
How can I determine a web user's time zone?
Why doesn't the percentage width child in absolutely positioned parent work in IE7?