Is there a difference between $_POST and $_GET?
In general and if I use them on pagination.
$_POST versus $_GET
Moderator: General Moderators
- CoderGoblin
- DevNet Resident
- Posts: 1425
- Joined: Tue Mar 16, 2004 10:03 am
- Location: Aachen, Germany
I am sure that this has been discussed before.
$_GET -> limited in length, obvious to users as they see it as part of the URL
$_POST -> Any length. May cause popups on refresh. Parameters hidden from casual user.
To access either in PHP use $_REQUEST.
Never assume they are valid as both may be "fooled" by users i.e never use them in an SQL command unless you have validated them beforehand as they may be able to do nasty things like delete your db (lookup SQL injection on the web).
$_GET -> limited in length, obvious to users as they see it as part of the URL
$_POST -> Any length. May cause popups on refresh. Parameters hidden from casual user.
To access either in PHP use $_REQUEST.
Never assume they are valid as both may be "fooled" by users i.e never use them in an SQL command unless you have validated them beforehand as they may be able to do nasty things like delete your db (lookup SQL injection on the web).
- shiznatix
- DevNet Master
- Posts: 2745
- Joined: Tue Dec 28, 2004 5:57 pm
- Location: Tallinn, Estonia
- Contact:
$_POST is through headers...i think. $_GET is through the url. $_GET is visible by the user by just looking at the address bar where as $_POST is not. both of them have their advantages. $_POST almost always is sent by a user clicking a submit button where as $_GET can be sent by a person just clicking on a link.
edit: i was a bit late
edit: i was a bit late
How is that? Anybody can put anything they want in any $_REQUEST var - $_COOKIE, $_POST, or $_GET. Just because it's not $_GET doesn't make it more secure...pilau wrote:Don't use $_REQUEST. Security Holes.CoderGoblin wrote:To access either in PHP use $_REQUEST..
$_REQUEST may make it a bit simpler for script kiddies, though.
and be aware that:
RFC 2616 wrote: In particular, the convention has been established that the GET and HEAD methods SHOULD NOT have the significance of taking an action other than retrieval. These methods ought to be considered "safe". This allows user agents to represent other methods, such as POST, PUT and DELETE, in a special way, so that the user is made aware of the fact that a possibly unsafe action is being requested.
Naturally, it is not possible to ensure that the server does not generate side-effects as a result of performing a GET request; in fact, some dynamic resources consider that a feature. The important distinction here is that the user did not request the side-effects, so therefore cannot be held accountable for them.