Page 1 of 1

Whats up with all this _GET posts?

Posted: Mon Aug 11, 2003 9:47 pm
by JAM
Is there something I missed? Why are so many people refering in their post about troubleshooting form-handlig using:

Code: Select all

<form method="GET">
and not

Code: Select all

<form metod="POST">
That leads us into the following, why is it so hard to use the superglobals $_POST etc.
One user even said that "I never needed to, so I wont now either, you suck you "all mighty"" when trying to explain about the register_globals.

"I read it in this book..." is a common comment of why, but I still really cant grasp it. Please comment...

Posted: Tue Aug 12, 2003 3:10 am
by Tubbietoeter
in some cases GET is more useful, eg. when you want to link to a page and call it with parameters. navigation links for instance.
in general i try to avoid it though, i like POST better.
i think it's just a question of what you are used to. it's hard to get rid of old habits.

Posted: Tue Aug 12, 2003 5:35 am
by JAM
I just thought of that perhaps code usually might be described in beginners-books using $_GET, for the sole reason to give the reader a direct feedback. He/she can see whats happening in the address-bar in the browser, rather than having to apply print_r($_POST)-like debugging.

But as it's used so widely by professionals (ie. bookwriters) there must be a reason. Is there and pro's/con's with either $_POST and $_GET?

Posted: Tue Aug 12, 2003 8:07 am
by McGruff
Yes. Get is slightly less secure as a form method since a hacker has to go to all the trouble of forging a form with POST.

There's nothing to stop them doing that of course, and POST can still bombard your scripts with any var and any value. At least it might deter more casual hackers though.

If you check for alien keys (POST or GET keys which you know should not exist in a particular page call) a positive result is strong evidence of a hacking attempt. Don't forget session id's.

Posted: Tue Aug 12, 2003 9:59 am
by nielsene
I have no idea why everyone seems to love GET. I hate, loathe, detest name-mangled URLs. If you have to go an back your whole website a single php page with loads of disptaching, please at least do it using some Apache/altnerative webserver tricks to map virtual urls to to page paremeters. Please don't just pass around page=1&subpage=40012. There's lots of tutorials out there on ways to do this nicely.

Yes POST sucks for other reasons, such as the lack of bookmarkability and the forward/back problem, but its normally the better choice for forms. I can think of very, very few places I would use GET over either virtual URLs or POST -- in fact I think the only place I currently use it is in the automated fallback from cookies for sessions.

People use GET because its what they learn. Then they perpetuate their cluelessness by telling others to use GET when POST doesn't work without looking into the reason, etc

Posted: Tue Aug 12, 2003 10:09 am
by JAM
forward/back problem
I think that is solved using

Code: Select all

<?php
header("Cache-control: private");
?>

Posted: Tue Aug 12, 2003 10:11 am
by nielsene
No, its not. Some browser implement the HTTP 1.0 standard which explicitly forbids requerying the server on forward/back navigation, regradless of the cache-directives. The HTTP 1.1 spec I beleive makes it optional. However that still means that you can't count on the browser to requery, or not to requery, regardless of what you do with the cache-control.