When a user enters information into a form and clicks Submit, the information can be sent from the browser to the server in two ways: in the URL, or in the body of the HTTP request.
The GET method used in the previous example appends a name/value pair to the URL. Unfortunately, URLs are limited in length, so this method only works with very few parameters. If a form uses a large number of parameters, or if the parameters contain a large amount of data, the URL may be truncated. Additionally, the parameters passed on the URL are visible in the browser's address field, which is not the best place to display the password.
The alternative to the GET method is the POST method. This method wraps name/value pairs in the body of the HTTP request, which makes the URL cleaner and places no size limit on form output. It's also safer.
This is not a security issue. The HTTP protocol defines GET type requests as idempotent, while POST may have side effects. In plain English, this means that GET is used to view something without changing it, and POST is used to change something. For example, a search page should use GET, while a form to change your password should use POST.
Also, please note that PHP somewhat confuses these concepts. POST requests take input from the query string and request body. GET requests simply get input from the query string. So a POST request is a superset of a GET request; you can use $_GET in a POST request, or even use the same name in $_POST and $_GET The parameters mean different things.
For example, let's say you have a form for editing an article. The post ID is probably in the query string (and therefore available via $_GET['id']), but let's say you want to change the post ID. The new ID may then appear in the request body ($_POST['id']). Okay, maybe this isn't the best example, but I hope it illustrates the difference.
When a user enters information into a form and clicks Submit, the information can be sent from the browser to the server in two ways: in the URL, or in the body of the HTTP request.
The GET method used in the previous example appends a name/value pair to the URL. Unfortunately, URLs are limited in length, so this method only works with very few parameters. If a form uses a large number of parameters, or if the parameters contain a large amount of data, the URL may be truncated. Additionally, the parameters passed on the URL are visible in the browser's address field, which is not the best place to display the password.
The alternative to the GET method is the POST method. This method wraps name/value pairs in the body of the HTTP request, which makes the URL cleaner and places no size limit on form output. It's also safer.
This is not a security issue. The HTTP protocol defines GET type requests as idempotent, while POST may have side effects. In plain English, this means that GET is used to view something without changing it, and POST is used to change something. For example, a search page should use GET, while a form to change your password should use POST.
Also, please note that PHP somewhat confuses these concepts. POST requests take input from the query string and request body. GET requests simply get input from the query string. So a POST request is a superset of a GET request; you can use
$_GET
in a POST request, or even use the same name in$_POST
and$_GET
The parameters mean different things.For example, let's say you have a form for editing an article. The post ID is probably in the query string (and therefore available via
$_GET['id']
), but let's say you want to change the post ID. The new ID may then appear in the request body ($_POST['id']
). Okay, maybe this isn't the best example, but I hope it illustrates the difference.