Jump to content

Forms: Get Or Post/request (sorted)


dangercrow
 Share

Recommended Posts

Ok, basically I'm learning PHP, and I was wondering, other than for bookmarking purposes, is there any reason for using method="get"?Also, is there any point in using <?php echo $_GET["whatever"]; ?> or even <?php echo $_POST["whatever"]; ?> if <?php echo $_REQUEST["whatever"]; ?> works just as well, and with more compatibility with forms?Finally, can anyone explain how $_REQUEST actually works with $_GET, $_POST, and $_COOKIE all together? As the guide doesn't really explain fully...Thanks in advance,Dangercrow

Edited by Dangercrow
Link to comment
Share on other sites

Any other reason for using $_GET... sharing. Say you want to let a friend see whatever you're seeing. If a page is constructed from $_POST data, you can't. If it's from $_GET, it could.Also, statics. Most statistical software doesn't keep track of $_POST data. They do however have the option to keep the $_GET data.As for using $_REQUEST instead of $_GET, $_POST or $_COOKIE... in most cases, there isn't a reason not to use it on your own site. If you're making apps for others though, you should not use $_REQUEST to keep the app independant from PHP settings. What PHP settings you ask? The one answering your next question.Arrays in PHP have unique keys. So, if for example, both $_GET and $_POST contain a certain key, PHP needs a way to prefer one over the other within the $_REQUEST array. There's a setting in php.ini for this, called "gpc_order". It's default value - "GPC", says that first $_GET variables are processed, then $_POST variables (and therefore, conflicting keys from $_GET will now have the $_POST values), then $_COOKIE variables (and therefore, keys that conflict with the "GP" merge will now have the $_COOKIE values).

Link to comment
Share on other sites

Actually $_REQUEST does either $_POST or $_GET depending on which was used. If you have a login form with the input fields: username and password, and you are using $_REQUEST I could type this into my browser: http://www.yoursite.com/login.php?username...;password=Admin. If the username and password is correct I will be logged in. $_POST is basically used for security reasons.

Link to comment
Share on other sites

Actually $_REQUEST does either $_POST or $_GET depending on which was used. If you have a login form with the input fields: username and password, and you are using $_REQUEST I could type this into my browser: http://www.yoursite.com/login.php?username...;password=Admin. If the username and password is correct I will be logged in. $_POST is basically used for security reasons.
Hmmm... hadn't thought about that one... I suppose you have a point in that using $_REQUEST makes it easier to try and crack a login form. Using $_POST doesn't prevent crackers in any way though (I suppose you know that, but I'm telling it for the sake of anyone else reading this). It only forces them to use an additional tool (say, Fiddler, or the cURL library) to forge an HTTP request. Anyone who really wants to crack a login form can still try to.
Link to comment
Share on other sites

POST only adds security in open or shared client environments. Someone looking over your shoulder can see a query string in your URL bar and learn your password. Bad news. Likewise, if someone sits down and looks at your history, they can see an old query.Buut POST adds no security on the server side.Way back when, URL + query string was limited to a small number of characters. So GET was reserved for requests, and POST was used for uploading larger chunks of data, like the text from a textarea.Then there is the semantic element. GET means request. POST means upload. Call me traditional, but I think we should stick with that.Responses to GET requests are generally cached. This is a big difference, and probably the most important. When the same request returns the same data every time, it is more efficient to use GET.I'm always a little surprised when I see tutorials that defeat this functionality by adding random characters to the query string. This is useful for debugging, of course. But a strange thing to build into a release version. Why not use POST?True, encodeURIComponent() adds a tiny layer of complexity. But that's not a good enough reason, IMO. And it's only an AJAX thing, anyway. A regular form doesn't need that.

Edited by Deirdre's Dad
Link to comment
Share on other sites

Hmmm... hadn't thought about that one... I suppose you have a point in that using $_REQUEST makes it easier to try and crack a login form. Using $_POST doesn't prevent crackers in any way though (I suppose you know that, but I'm telling it for the sake of anyone else reading this). It only forces them to use an additional tool (say, Fiddler, or the cURL library) to forge an HTTP request. Anyone who really wants to crack a login form can still try to.
Like Deirdre's Dad said,
Someone looking over your shoulder can see a query string in your URL bar and learn your password. Bad news. Likewise, if someone sits down and looks at your history, they can see an old query.
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...