I think the title is my question. I would like to know what's the difference when using GET or POST method in php. Which one is more secure? What are dis/advantages of each of them?
Thanks
EDIT: I also found similar question to this one here.
views:
6546answers:
13
+3
A:
When the user enters information in a form and clicks Submit , there are two ways the information can be sent from the browser to the server: in the URL, or within the body of the HTTP request.
The GET method, which was used in the example earlier, appends name/value pairs to the URL. Unfortunately, the length of a URL is limited, so this method only works if there are only a few parameters. The URL could be truncated if the form uses a large number of parameters, or if the parameters contain large amounts of data. Also, parameters passed on the URL are visible in the address field of the browsernot the best place for a password to be displayed.
The alternative to the GET method is the POST method. This method packages the name/value pairs inside the body of the HTTP request, which makes for a cleaner URL and imposes no size limitations on the forms output. It is also more secure.
01
2009-02-02 21:17:59
How is it more "secure"?
Julian Reschke
2009-02-02 22:48:17
because its harder to change? you can change GET in the address bar, but its not that easy with POST.
01
2009-02-02 23:16:41
The server can't trust the client. Designing your application around false assumptions, is far from secure.
troelskn
2009-02-02 23:43:58
openid is also not save, because it can be broken?
01
2009-02-03 08:04:35
+3
A:
Get and Post methods have nothing to do with the server technology you are using, it works the same in php, asp.net or ruby. GET and POST are part of HTTP protocol. As mark noted, POST is more secure. POST forms are also not cached by the browser. POST is also used to transfer large quantities of data.
gnomixa
2009-02-02 21:21:21
A:
Adding to mark's Answer, sometimes you will also need to encode parameter values if you use HTTP GET.
Igor Zelaya
2009-02-02 21:22:17
+3
A:
I use GET when I'm retrieving information from a URL and POST when I'm sending information to a URL.
Mark Biek
2009-02-02 21:23:11
+14
A:
It's not a matter of security. The HTTP protocol defines GET type requests as being idempotent, while POST may have side effects. In pain English that means that GET is used for viewing something, without changing it, while POST is used for changing something. For example, a search page should use GET, while a form that changes your password should use POST.
Also, note that PHP confuses the concepts a bit. A POST request gets input from the querystring and through the request body. A GET request just gets input from the querystring. So a POST request is a superset of a GET request; You can use $_GET in a POST request, and it may even make sense to have a parameter with the same name in $_POST and $_GET, meaning different things. For example, let's say you have a form for editing an article. The article-id may be on the querystring (So, available through $_GET['id']), but let's say that you want to change the article-id. The new id may then be present in the request body (Eg. $_POST['id']). OK, perhaps not the best example, but I hope it illustrates the difference between the two.
troelskn
2009-02-02 21:23:11
There is definately a security aspect to the difference between GET and POSTs. A malicious site can stick an arbitrary GET request in an image tag for instance, causing users to do a GET against another server. If this GET is like http://otherserver/deletemyaccount then bad things happen.
Frank Schwieterman
2009-02-02 22:28:16
What I meant was that contents of $_POST is not magically hidden from malicious users. There are obviously security aspects to all thing programming.
troelskn
2009-02-02 22:34:37
This post doesn't answer the question completely because he doesn't mention of the security implications. The top part is good as long as the spelling error "pain English" is changed to "plain English". The bottom part is too hard to follow.On the whole, much better than my post tho. :-)
Akrikos
2009-02-03 18:29:39
+3
A:
You should use POST if there is a lot of data, or sort-of sensitive information (really sensitive stuff needs a secure connection as well).
Use GET if you want people to be able to bookmark your page, because all the data is included with the bookmark.
Just be careful of people hitting REFRESH with the GET method, because the data will be sent again every time without warning the user (POST sometimes warns the user about resending data).
Grant
2009-02-02 21:23:28
+1
A:
I think this question has been very well answered but just to recap: For security purposes and for usability I essentially always use POST.
The only situation in which I use GET with any regularity is when I am passing a non-sensitive value (i.e. a record number) to a child script. GET works really well for this because you can simply make calls to the child script by passing it the GET value in the URL. For example: http://domain.com/script.php?record=100, "?record=100" is passing the GET parameter (named "record") with the value of 100 to the script named "script.php".
Do you have any further questions on the subject of GET/POST?
- Nicholas
Nicholas Kreidberg
2009-02-02 21:34:00
A:
Troelsn, perhaps you meant that $_REQUEST array in PHP contains both get and post?
gnomixa
2009-02-02 21:34:29
No, on the contrary. I meant that $_GET and $_POST should have been named $_QUERYSTRING and $_REQUESTBODY.All HTTP requests (GET and POST inclusive) have $_GET, and $_POST isn't exclusive to POST type requests (It's also present at PUT requests, for example)
troelskn
2009-02-02 21:37:25
http://www.megginson.com/blogs/quoderat/2007/02/15/rest-the-quick-pitch/ for starters. RFC2616 (I'm serious - Don't let the lack of formatting scare you off). http://rest.blueoxen.net/ (Down at the moment - use Googles cache). http://www.peej.co.uk/ has good articles on the subject too.
troelskn
2009-02-02 21:55:34
thanks, i was refering to your claim:"All HTTP requests (GET and POST inclusive) have $_GET, and $_POST isn't exclusive to POST type requests (It's also present at PUT requests, for example) " I have never heard this before, could you please quote a credible source regarding this? Thanks
gnomixa
2009-02-02 22:08:06
$_GET is populated with the part of the REQUEST_URI, referred to as "query" in RFC2616. All HTTP requests have a URI, and thus all HTTP requests can have a query-string. $_POST contains the message-body, parsed according to application/x-www-form-urlencoded.
troelskn
2009-02-02 22:44:12
The PHP documentation is vague and misleading about this, but both $_GET and $_POST are populated on every HTTP method. You can verify this by experimentation. PHP is fully capable of handling PUT requests, where it will parse the message-body into $_POST.
troelskn
2009-02-02 22:46:41
+3
A:
There are two common "security" implications to using GET. Since data appears in the URL string its possible someone looking over your shoulder at Address Bar/URL may be able to view something they should not be privy to such as a session cookie that could potentially be used to hijack your session. Keep in mind everyone has camera phones.
The other security implication of GET has to do with GET variables being logged to most web servers access log as part of the requesting URL. Depending on the situation, regulatory climate and general sensitivity of the data this can potentially raise concerns.
Some clients/firewalls/IDS systems may frown upon GET requests containing an excessive amount of data and may therefore provide unrelable results.
POST supports advanced functionality such as support for multi-part binary input used for file uploads to web servers.
POST requires a content-length header which may increase the complexity of an application specific client implementation as the size of data submitted must be known in advance preventing a client request from being formed in an exclusivly single-pass incremental mode.. Perhaps a minor issue for those choosing to abuse HTTP by using it as an RPC transport.
Others have already done a good job in covering the semantic differences and the "when" part of this question.
Einstein
2009-02-02 22:19:44
A:
The reason for using POST when making changes to data:
- A web accelerator like Google Web Accelerator will click all (GET) links on a page and cache them. This is very bad if the links make changes to things.
- A browser caches GET requests so even if the user clicks the link it may not send a request to the server to execute the change.
- To protect your site/application against CSRF you must use POST. To completely secure your app you must then also generate a unique identifier on the server and send that along in the request.
Also, don't put sensitive information in the query string (only option with GET) because it shows up in the address bar, bookmarks and server logs.
Hopefully this explains why people say POST is 'secure'. If you are transmitting sensitive data you must use SSL.
sjbotha
2009-02-03 18:47:17
+1
A:
1> GET method is use to send the less sensitive data where as POST method is use to send the sensitive data. 2> using the POST method you can send large amount of data compare the GET method. 3>Data send by GET method is visible in browser header bar where as data send by POST method is invisibe.
A:
Here is the good article that explains HTTP POST and HTTP GET request
http://patelshailesh.com/index.php/http-get-and-http-post-in-asp-net
shailesh
2010-02-09 19:11:44