I think the title is my question. I would like to know what's the difference when using GET or POST method in php. Which one is more secure? What are dis/advantages of each of them?
Thanks
EDIT: I also found similar question to this one here.
I think the title is my question. I would like to know what's the difference when using GET or POST method in php. Which one is more secure? What are dis/advantages of each of them?
Thanks
EDIT: I also found similar question to this one here.
When the user enters information in a form and clicks Submit , there are two ways the information can be sent from the browser to the server: in the URL, or within the body of the HTTP request.
The GET method, which was used in the example earlier, appends name/value pairs to the URL. Unfortunately, the length of a URL is limited, so this method only works if there are only a few parameters. The URL could be truncated if the form uses a large number of parameters, or if the parameters contain large amounts of data. Also, parameters passed on the URL are visible in the address field of the browsernot the best place for a password to be displayed.
The alternative to the GET method is the POST method. This method packages the name/value pairs inside the body of the HTTP request, which makes for a cleaner URL and imposes no size limitations on the forms output. It is also more secure.
Get and Post methods have nothing to do with the server technology you are using, it works the same in php, asp.net or ruby. GET and POST are part of HTTP protocol. As mark noted, POST is more secure. POST forms are also not cached by the browser. POST is also used to transfer large quantities of data.
Adding to mark's Answer, sometimes you will also need to encode parameter values if you use HTTP GET.
I use GET when I'm retrieving information from a URL and POST when I'm sending information to a URL.
It's not a matter of security. The HTTP protocol defines GET type requests as being idempotent, while POST may have side effects. In pain English that means that GET is used for viewing something, without changing it, while POST is used for changing something. For example, a search page should use GET, while a form that changes your password should use POST.
Also, note that PHP confuses the concepts a bit. A POST request gets input from the querystring and through the request body. A GET request just gets input from the querystring. So a POST request is a superset of a GET request; You can use $_GET
in a POST request, and it may even make sense to have a parameter with the same name in $_POST
and $_GET
, meaning different things. For example, let's say you have a form for editing an article. The article-id may be on the querystring (So, available through $_GET['id']
), but let's say that you want to change the article-id. The new id may then be present in the request body (Eg. $_POST['id']
). OK, perhaps not the best example, but I hope it illustrates the difference between the two.
You should use POST if there is a lot of data, or sort-of sensitive information (really sensitive stuff needs a secure connection as well).
Use GET if you want people to be able to bookmark your page, because all the data is included with the bookmark.
Just be careful of people hitting REFRESH with the GET method, because the data will be sent again every time without warning the user (POST sometimes warns the user about resending data).
I think this question has been very well answered but just to recap: For security purposes and for usability I essentially always use POST.
The only situation in which I use GET with any regularity is when I am passing a non-sensitive value (i.e. a record number) to a child script. GET works really well for this because you can simply make calls to the child script by passing it the GET value in the URL. For example: http://domain.com/script.php?record=100, "?record=100" is passing the GET parameter (named "record") with the value of 100 to the script named "script.php".
Do you have any further questions on the subject of GET/POST?
Troelsn, perhaps you meant that $_REQUEST array in PHP contains both get and post?
There are two common "security" implications to using GET. Since data appears in the URL string its possible someone looking over your shoulder at Address Bar/URL may be able to view something they should not be privy to such as a session cookie that could potentially be used to hijack your session. Keep in mind everyone has camera phones.
The other security implication of GET has to do with GET variables being logged to most web servers access log as part of the requesting URL. Depending on the situation, regulatory climate and general sensitivity of the data this can potentially raise concerns.
Some clients/firewalls/IDS systems may frown upon GET requests containing an excessive amount of data and may therefore provide unrelable results.
POST supports advanced functionality such as support for multi-part binary input used for file uploads to web servers.
POST requires a content-length header which may increase the complexity of an application specific client implementation as the size of data submitted must be known in advance preventing a client request from being formed in an exclusivly single-pass incremental mode.. Perhaps a minor issue for those choosing to abuse HTTP by using it as an RPC transport.
Others have already done a good job in covering the semantic differences and the "when" part of this question.
The reason for using POST when making changes to data:
Also, don't put sensitive information in the query string (only option with GET) because it shows up in the address bar, bookmarks and server logs.
Hopefully this explains why people say POST is 'secure'. If you are transmitting sensitive data you must use SSL.
1> GET method is use to send the less sensitive data where as POST method is use to send the sensitive data. 2> using the POST method you can send large amount of data compare the GET method. 3>Data send by GET method is visible in browser header bar where as data send by POST method is invisibe.
Here is the good article that explains HTTP POST and HTTP GET request
http://patelshailesh.com/index.php/http-get-and-http-post-in-asp-net