I am writing a PHP application that has a few forms. Often when a form is submitted I want to 1) update the database, then 2) forward to an URL. Usually the URL is dynamically constructed using parameters that were supplied as part of the last request.
My question is this: if a parameter is supplied in a request, solely for the purpose of constructing the 'forward to' url, should it be passed in the $_POST array or the $_GET array?
At the moment any parameters that need to be persisted as passed in $_POST, and those used solely for redirection are passed in $_GET.
This response, https://stackoverflow.com/a/1993498/356282, suggests that I should choose one method or the other...
I don't know the logic of your application but consider if your redirection is about users accessing some resources and it's about a authorizing users it's better parameters related to forward be in post global var.
here's good tutorial on POST and GET.
http://blog.teamtreehouse.com/the-definitive-guide-to-get-vs-post
and also here's a question I think which can help you.
When should I use GET or POST method? What's the difference between them?
Related
I have been checking out the Laravel source code a bit and I found this bit of code:
return $this->getRealMethod() == 'GET' ? $this->query : $this->request;
From:
https://github.com/illuminate/http/blob/master/Request.php#L668
This basically specifies that if the request method for a request is a 'GET' that the input method returns the query string parameters and otherwise gives you access to the POST variables.
This means that whenever I would make a post request I can not do the following to get a query string parameter named "date" for example:
$request->input('date')
I know it is useful to not merge POST and GET data since you get the possibility of overriding them but what is the exact motivation behind not allowing a user access to the query parameters when you make a POST request?
The way I see it, the input could have been split up into postInput and getInput for example to allow access to both without merging them. Of course you lose the ability that a generic input method gives you, but you gain a lot of flexibility.
Any thoughts on this?
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 9 years ago.
Improve this question
I am reviewing a system (an old system) in which in some cases, they send data in a form with POST method, but they also send parameters to the url, as if using get.
something like this:
echo "\n<FORM METHOD='POST' NAME='onegroup' ACTION='menu.php?sesion=".$sesion."' >
<INPUT TYPE='HIDDEN' NAME='sesion' VALUE='".$sesion."'>
<INPUT TYPE='HIDDEN' NAME='index_login' VALUE='1'>
[...]
</FORM>\n";
(note, sesion is not a typo, is just the word "session" in spanish)
What happens is that the "sesion" parameter gets sent both by url and by an input field, thus, the 'sesion' variable is then received both in the $_POST array and the $_GET array.
Why would this be necessary and should i leave it like that? or could i just take it off from the url and just rely on the $_POST data?
I have read in the comments for this answer that it is perfectly possible and valid to send data from both GET and POST (although the method itself is only either GET or POST (or others) in this case is POST, because that is the way the form defines). Now in this specific case, why would someone want to send the SAME sesionvariable (i.e. with the same value) by both get (by url) and post requests?
In my menu.php script can read both $_POST and $_GET and each will have its "version" of the variable, but it happens to be the same.
I've also played around and saw that if instead of $_POST or $_GET i read the $_REQUEST array, i get all the variables together, but in the case of the duplicated one (sesion), the post version gets precedence.
Another thing is that they rely on the "Register Globals" option, and thus, instead of explicitly using $_GET["sesion"] or $_POST["sesion"] (or even $_REQUEST[]) they just use '$sesion' everywhere to use that information (and just the same for any other variable in the request). Again, playing around, i see that in that case, the POST version of the variable gets precedence also. But can I always rely on that?
Should I just use the post method and remove the parameter from the url?
Why would they want to do this instead of just sending everything by post? As I see it, there is no reason of using both, specially since both have the SAME value. If they didn't they could just choose which version to use, but that is not the case, and I can't think of anything other that it is just something they left there and never "fixed"
What are some "real-life" examples in which someone would need to use such scenario with both POST and GET requests, and specially with the same variable name in both?
thanks.
You should remove one of them (preferably GET) if the values are same. However, you also need to make sure that you make corresponding changes to your form processing logic so that the code gets the values it is expecting. It is better to use $_POST or $_GET in place of $_REQUEST since that way you are explicit about what values you are passing and what values is your code expecting. For example, if you are using $_REQUEST then your POST values can be overwritten by GET which might be a security issue. Also, it is not a good idea to rely on register globals as that could cause a security issue too plus the register global on/off setting might differ from server to server. As for why would someone do this, it could be an error or a lack of knowledge about the way PHP GET/POST works.
For a real life scenario:
For many of my applications, I use sessions and pass the php session_id as a GET parameter in the url from page to page. Each page also has a "verify.php" required which validates a session and checks if a user is logged in. If I am dealing with the forms, then I just creates forms and specify the action part as :
action="form_submit_page.php?SID=<?php echo Session_ID(); ?>"
The form passes the values from one page to another as POST while the action part passes session as GET.
I use query sting parameters (GET) to chose the active page and POST values to carry form data. There is a legitimate use-case for this.
If the data is a repeat, then kill the GET.
I've never understood this, and on my own projects I have never needed it. But I've been contributing to WordPress a little, and they use it heavily.
Somehow they are able to redirect the user to a different page with some sort of GET variable in the URL (which is what I understand to be the advantage of using GET over POST). How do they do this? Is it as simple as making a header like header('site.com/page.php?foo=true');? This can't be useful since you have to hard code everything in (unless you want to create a string based on other variables which is kind of annoying, even still). I thought there would be a built-in function like send_get('page.php', $foo);.
I understand how to use information by using $foo = $_GET['foo'];, but I don't know how to send it with PHP.
An explanation would be appreciated - thanks!
There isn't exactly a "customary" way of using it. It is one of nine superglobals. The way you use them is at your discretion. As Greg P already mentioned, they are passed through the URL.
I know how to set up a HTML form that sends variables this way, but how can I do the same thing with PHP?
If you're talking about sending GET variables with PHP solely, the answer is no. You needn't even have PHP to send a GET variable. It is as simple as adding a question mark followed by a variable name = something. Separate several of them using an ampersand (&)
Setting up a GET variable is as easy as creating an anchor link.
<a href='somepage.php?getVar1=foo&anotherVariable=2&thirdVar=3
You can use PHP to dynamically place certain information in there instead of writing it manually, which is the entire purpose of the language to begin with. It is a preprocessor
So, something like this should get you started
<?php
$someID = // An id pulled from a mysql_query
echo "<a href='somepage.php?someID=" . $someID . "'>GET LINK</a>";
I thought there would be a built-in function like send_get('page.php', $foo);
Again, PHP is a preprocessor. It doesn't send information, it only outputs it. What you're talking about is Javascript.. moreover, AJAX. AJAX is the only method that will allow you to send GET variables "behind-the-scenes". And, like was mentioned in another post, jQuery has an awesome codebase for this.
I think you're missing the forest for the trees...the $_GET/$_POST are just variables that are passed to the page processing them - what is DONE with them and how it is done, is up to the design of the application. For example, Joomla always puts the component_id and the item_id in the $_GET array, and has been designed with that in mind, so expects them to be there, and constructs the page, or redirects, or whatever with that in mind.
In your example, a send_get() function might be a good idea (I didn't design it), but the architects didn't see it that way for one reason or another. Joomla happens to have a redirect function that does have a certain dependancy on what was passed in the $_GET, but that is only by design of the applications authors.
Maybe redirect URL is kept in some of session variable. Properly $_GET variable, indicate for wordpress: "check session variable for redirect URL".
PHP.net says:
An associative array of variables passed to the current script via the URL parameters.
URL parameters: generally are variables passed to a script via the URL such as in your example site.com/page.php?foo=true. Everything after the ? is considered a paramter.
Quoted from a StackOverflow question:
The HTTP protocol defines GET type requests as being idempotent, while POST may have side effects. In pain English that means that GET is used for viewing something, without changing it, while POST is used for changing something. For example, a search page should use GET, while a form that changes your password should use POST.
I'm writing an API and want to follow the REST approach. As I understand it, if I want to let API users update specific records a PUT http://server/specific_resource type request should be supported. Of course, they're not doing a GET and they'll need to pass along the new data and my question is how to do this (in my specific case only updating some of the fields of the specified record, but that's not so relevant here). There are two approaches I can think of: including the data in the request body (using curl: curl -X PUT -d "key=value" http://server/specific_resource) or in a query string (using curl: curl -X PUT http://server/specific_resource?key=value).
Unfortunately, regardless of the approach I take, it seems very hard to get the provided data. The problem seems to be that PHP only really completely understands two HTTP methods, GET and POST, with PUT considered to be for file uploads. If I include the data in the body then the only way to access it seems to be via an fopen('php://input') call. For instance, http_get_request_body() doesn't provide the data. Likewise, the information can't be found in the $_REQUEST superglobal. If I don't want to have to process the raw request body with fopen('php://input') then it appears that I must send the data as query string parameters, as the data will appear as elements of the $_GET superglobal (and so also $_REQUEST).
I'm specifically using CakePHP and it seems to only populate the form array of the params array in my controller method if the request was a POST. Query string parameters are put in params' url array regardless of the request method if used in the request URL. Not surprisingly, I'm not the only one who has run into this.
What is the solution that you'd suggest? Process the input stream? Use query string parameters? Just forget the PUT verb and use POST instead?
Try this blog entry about parsing PUT data for a REST interface in PHP.
Use the server http method variable to check if its a PUT.
I sugget you to take a look at SLIM source code to check how they handle it
cheer!
I am new to PHP. In the path of learning PHP language, I notice that, some website would this kind of URL:
www.website.com/profile.php?user=roa3&...
My questions:
What is the "?" symbol used for?
If I were develop a php website, must I use it in my URL? For example, after a user(roa3) successful logged in, I will redirect to "www.website.com/profile.php?user=roa3" instead of "www.website.com/profile.php"
What are the advantages and disadvantages of using it?
Good questions, briefly,
"?" stands for the start of querying
string which contains the data to be
passed to the server. in this case
you are passing user=roa3 to
profile.php page. You can get the
data by using $_GET['user'] within
profile.php. querystring is one of the methods to send data to the server from client agent. The other one places the data in HTTP body and POST to the server, you don't see the HTTP POST data directly from browser.
querystring can be edited by user
and it is visible to the public. If
www.website.com/profile.php?user=roa3
is intended to be public then it is
fine, otherwise you may want to use
session to get current user's
context.
it is a flexible way to pass data to
the server, but it is visible and
editable to the users, for some
sensitive data, at least produce
some kind of hash before attaching
it to the querystring, this prevents
users to edit it or understanding
the meaning of it. However this
doesn't prevent a decent hacker to
do something wrong about your
website. Different browsers support different max length of URL, the lengthy URL is made up by those querystring parameters. If you want to send large amount of data, place the data in the HTTP body and POST to the server.
Most of the answers I've seen so far have been in terms of PHP, when in reality this isn't language specific. The answers given so far have been from the view of PHP and the methods you would use to access the information differ from one language to the next, but the format in which the data is in the URL (known as the Query String) will remain the same (Ex: page.ext?key1=value&key2=value&...).
I don't know your technical background or knowledge, so please forgive me...
There are two different methods for a web page to provide data back to the web server. These are known as the POST or GET methods. There also also a bunch of others, but none of those should be used in any sort of web design when dealing with a normal user. The POST method is sent invisibly to the server and is meant for 'uploading' data, while the GET method is visible to the user as the Query String in the URL and is only meant to literally 'get' information.
Not all sites follow this rule of thumb, but there can be reasons as to why. For example, a site could use POST exclusively to get around caching by proxy servers or your browser, or because they use double byte languages and can cause issues when trying to perform a GET because of the encoding conversion.
Some resources about the two methods and when to use them...
http://www.cs.tut.fi/~jkorpela/forms/methods.html
http://weblogs.asp.net/mschwarz/archive/2006/12/04/post-vs-get.aspx
http://en.wikipedia.org/wiki/Query_string
Now from a strictly PHP position, there are now 3 different arrays you can use to get the information a webpage has sent back to the server. You have to your disposal...
$_POST['keyname'], to grab only the information from a POST method
$_GET['keyname'], to grab only the information from a GET method
$_REQUEST['keyname'], to allow you to grab the POST, GET, and any COOKIE information that might have been submitted. Sort of a catchall, especially in cases where you don't know which method a page might be using to submit data.
Don't get sloppy by going directly with the $_REQUEST method. Unless you have a case like I mentioned above for the $_REQUEST variable, then don't use it. You want to try and use a 'deny all, and only allow x,y,z' approach when it comes to security. Only look for the data that you know your own site will be sending, only look for the combinations that you'll be expecting, and cleanse all of the information before you use it. For example..
Never do an eval() on anything passed via the above methods. I've never seen this done, but it doesn't mean people haven't tried or do.
Never use the information directly with databases without cleaning them (research into SQL injection attacks if you're not familiar with them)
This is by far not the end-all, be-all to PHP security, but we're not here for that. If you want to know more along line, well then thats another question for SO.
Hope this helps and feel free to ask any questions.
1) If a user logs in to your site, you would use Sessions to store there username instead of passing it in the url e.g profile.php?username=roa3
2) Using a ? symbol in the urls is generally considered bad for Search Engine Optimization. Also, the urls look a bit ugly. Using mod_rewrite you can do the same thing as profile.php?user=roa3 or products.php?id=123&category=toys with: site.com/profile/roa3 or products/toys/123.
Using the CodeIgniter framework will give you friendly URLs by default and eliminate the need for ?s in your urls. See this page for an example.
3) The ? symbol is also used inside the code of a php page. For example, an if else block such as:
if ($x==1)
$y=2;
else
$y=3;
can also be written as:
$y=($x==1) ? 2 : 3;
The "?" signifies that some GET variables are to follow. You example uses a variable called "user", and assigns a variable called "roa3".
Advantages of using GET variables:
they can be bookmarked as part of the URL
Disadvantages
they are public.. Anyone can intercept and see this information. These url requests are even cached by servers along the journey. So anyone can impersonate your roa3 user just by typing that information in by hand... also they could change the roa3 to a different user and impersonate them..
You can also use a "&" symbol to separate many variables e.g.:
www.website.com/profile.php?user=roa3&fav_colour=blue
Other options:
POST variables
You can send your variables via the POST variables. These variables are passed in the header of the request, not the url of the request. they are not immediately obvious, and are not cached by servers along teh journey, but they can still be read. unless you have a HTTPS conection established.
variables in a form can be sent by POST or GET methods.. You specify this in the "method" of the form. <form action="index.php" method='post'/>
SESSION variables
Session variables are stored on the server. A session id is passed to the user, and this session id is passed back to the server every time the user makes another request. This session id can then be used to get the session variables that were stored. So you could store a user's favorite colour, their name, and ip address etc.. but you could store it on teh server rather than the user's home PC.
Session ids can be impersonated, so it is good to check against the user's IP, and or to wrap them in a secure conection. eg https.
session variables can't be changed by someone who intercepted the request.
COOKIE variable:
Similar to the session variables, except that they are stored on the user's PC, not the server. They are stored against a domain, and when they go to that domain, they resubmit the variables in the header of the request to the server.. this means that the user could change and hack the variables, or someone else could.
To access these variables in php you can use:
$x = $_GET['user'] for a get variable
$x = $_POST['user]
$x = $_REQUEST['user'] - the combination of get, post and cookie variables
$x = $_COOKIE['user'] - cookie variables
$x = $_SESSION['user'] to access the session variables
(user could be replaced with the name of the variable you are using)
Simple enough stuff, but important to know what they actually do.
? is part of the HTTP standard and not part of PHP. Thought I should point that out so when you move on to another language and see it again you are not confused thinking there is PHP involved.
Otherwise there are some excellent answers above.
From the server's point of view, the ? is just another character. PHP provides easy methods for parts of the URL after the ? character, e.g. for "/profile.php?user=roa3", PHP will set $_GET['user'] = 'roa3'.
The reason ? is useful in URLs is that browsers can construct dynamic URLs using forms -- in the case above, I would expect that the URL was built by an HTTP form with a field "user", into which the human user has typed "roa3".
"?" is used to separate the URL and the parameters. For e.g, it is like http://www.url.com/resourcepath?a=b&c=d. In this case a=b is like request_parameter=request_value.
Ya, Its not advisable to use much of the parameters because the total url size is limited and it is like GET request, where all the parameters are shown on the url and the user can modify it. In your example, say what if a user modify the url to "user=techmaddy'.
Advantage is it can be used for the GET kind of requests. Disadvantage is low security, limitation in size.