Home > Backend Development > PHP Tutorial > PHP basics POST and GET

PHP basics POST and GET

WBOY
Release: 2016-08-08 09:19:08
Original
1133 people have browsed it

Difference between post and get

Key points:

*. When Post transmits data, it does not need to be displayed in the URL, while the Get method must be displayed in the URL.
*.Post transmits a large amount of data, which can reach 2M, while the Get method can only transfer about 1024 bytes due to the URL length limit.
*.Post, as the name suggests, is to transmit data to the server segment, and Get is for Get data from the server segment. The reason why Get can also transmit data is just to tell the server what kind of data you need. Post information is used as the content of the http request, while Get is transmitted in the Http header.

Detailed description:

1. Get transfers the user's data through URL requests, connects the names of each field in the form and its contents as paired strings, and places them in the URL of the program pointed to by the action attribute. The data will be Displayed directly on the URL, just like the user clicks a link;

The Post method uses the HTTP post mechanism to place the names of each field in the form and its content in the HTML header (header) and transmit it to the server through the action attribute. The program processing referred to will read and process the form data through the standard input (stdin) method

2. The Get method requires the use of Request.QueryString to obtain the value of the variable.

Post method uses Request.Form to access the submitted content.
3. The amount of data transmitted by the Get method is very small, generally limited to about 2 KB, but the execution efficiency is better than the Post method;

The amount of data transmitted by the Post method is relatively large, and it is waiting for the server to read the data. There is also a byte limit, which is to avoid malicious attacks on the server with large amounts of data.
        Suggestion: Unless you are sure that the data you submit can be submitted in one go, please try to use the Post method

4. Submitting data through the Get method will cause security issues. It is recommended to use the Post method for form submission; (such as the login page, through Get When submitting data, the username and password appear on the URL. If the page can be cached or others can access the customer's machine, the user's account and password can be obtained from the history record)

The form submitted by the Post method A common problem with pages is that when the page is refreshed, a dialog box will pop up. Suggestion: For security reasons, it is best to use Post to submit data

5. Get limits the value of the data set in the Form form to be ASCII characters; while Post supports the entire ISO10646 character set. 6. Get is the default method of Form.


In the HTTP protocol, there are four verbs indicating operation methods: GET, POST, PUT, and DELETE. They correspond to four basic operations:

GET is used to obtain resources POST is used to create new resources (can also be used to update resources)
PUT is used to update resources
DELETE is used to delete resources.


PHP will automatically escape data obtained through post/get

Depending on the different configurations of the server, when obtaining data through post or get, some special characters such as '," may appear and will be converted Meaning. This problem is mainly caused by PHP magic quotes. PHP magic quotes include

magic_quotes_runtime, magic_quotes_sybase.

magic_quotes_gpc is summarized as follows:

1. For the case of magic_quotes_gpc=on,

and output Perform

addslashes() and stripslashes() operations on the string data of the database, and the data will be displayed normally.

If you perform addslashes() on the input data at this time,

then it must be output. Use stripslashes() to remove excess backslashes

2. For the case of magic_quotes_gpc=off

must use addslashes() to process the input data, but there is no need to use stripslashes() to format the output

because addslashes() does not write the backslashes into the database, but just helps mysql complete the execution of the sql statement. About magic_quotes_gpc in php injection. Everyone knows the php configuration file php. .in , if the magic_quotes_gpc configuration is turned on, it means magic_quotes_gpc = on. Everyone who knows php knows.

Then we have to inject the numeric field

<span> 1</span> <?
<span> 2</span><span>if</span> ( <span>isset</span>(<span>$_POST</span>["f_login"<span>] ) ){
</span><span> 3</span><span>//</span><span>连接数据库</span><span> 4</span><span>$t_strUid</span> = <span>$_POST</span>["f_uid"<span>];
</span><span> 5</span><span>$t_strPwd</span> = <span>$_POST</span>["f_pwd"<span>];
</span><span> 6</span><span>$t_strSQL</span> = "SELECT * FROM tbl_users WHERE uid=<span>$t_strUid</span> AND password = '<span>$t_strPwd</span>'      LIMIT 0,1"<span>;
</span><span> 7</span><span>if</span> ( <span>$t_hRes</span> = <span>mysql_query</span>(<span>$t_strSQL</span><span>) ){
</span><span> 8</span><span>//</span><span> 成功查询</span><span> 9</span><span>          }
</span><span>10</span><span>       }
</span><span>11</span> ?>
Copy after login

If it is entered correctly:

SELECT * FROM tbltable_users WHERE userid=admin AND password = 'admin' LIMIT 0,1

If the attacker enters: admin OR 1 =1 # at username, the injected sql statement is as follows:

SELECT * FROM table_users WHERE userid=admin OR 1 =1 # AND password = 'admin' LIMIT 0,1

The injection can be done below.

Set the display_errors option to display_errors = off in php.ini This will prevent .

magic_quotes_runtime
        如果打开的话,大部份从外部来源取得数据并返回的函数,包括从数据库和文本文件,所返回的数据都会被反斜线转义。该选项可在运行的时改变,在 PHP 中的默认值为 off。

magic_quotes_sybase
        如果打开的话,将会使用单引号对单引号进行转义而非反斜线。此选项会完全覆盖 magic_quotes_gpc。如果同时打开两个选项的话,单引号将会被转义成 ”。而双引号、反斜线 和 NULL 字符将不会进行转义。

由于不同服务器的配置不同,需要在代码中用get_magic_quotes_gpc() 检测服务器配置。

<span>1</span><span>if</span>(<span>isset</span>(<span>$_POST</span>['c'<span>])){
</span><span>2</span><span>$s</span> = <span>$_POST</span>['c'<span>];
</span><span>3</span><span>if</span>(<span>get_magic_quotes_gpc</span><span>())
</span><span>4</span><span>$s</span> = <span>stripslashes</span>(<span>$s</span>);<span>//</span><span>stripslashes() 函数删除由 addslashes() 函数添加的反斜杠。
</span><span>5</span><span>//do something</span><span>6</span> }
Copy after login

以上就介绍了PHP基础之POST与GET,包括了方面的内容,希望对PHP教程有兴趣的朋友有所帮助。

Related labels:
source:php.cn
Statement of this Website
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn
Popular Tutorials
More>
Latest Downloads
More>
Web Effects
Website Source Code
Website Materials
Front End Template