Thread: $_POST vs $_GET

Page 1 of 2 12 Last
  • Jump to page:
    #1
  1. Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Feb 2013
    Posts
    452
    Rep Power
    11

    $_POST vs $_GET


    Hi,

    I noticed I use the $_POST a lot more than the $_GET variable, even when information can be sent in the URL. When is it better to send data with the $_POST and when with the $_GET. Should we use the $_GET when (for example) the user wants to select an item in a list (on a webshop) which directs him to a page where there are more details etc. of the product?

    EDIT: And should we use the $_POST when updating or inserting something in the database?
    Last edited by derplumo; July 8th, 2014 at 08:29 AM.
  2. #2
  3. Sarcky
    Devshed Supreme Being (6500+ posts)

    Join Date
    Oct 2006
    Location
    Pennsylvania, USA
    Posts
    10,884
    Rep Power
    6355
    At the very basic level, $_GET is to request data from your server (like specifying a detail page) and $_POST is for submitting data to your server (like user input, comments, etc.).
    HEY! YOU! Read the New User Guide and Forum Rules

    "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -Benjamin Franklin

    "The greatest tragedy of this changing society is that people who never knew what it was like before will simply assume that this is the way things are supposed to be." -2600 Magazine, Fall 2002

    Think we're being rude? Maybe you asked a bad question or you're a Help Vampire. Trying to argue intelligently? Please read this.
  4. #3
  5. No Profile Picture
    Contributing User
    Devshed Specialist (4000 - 4499 posts)

    Join Date
    Jul 2003
    Posts
    4,350
    Rep Power
    630
    Originally Posted by derplumo
    Hi,
    EDIT: And should we use the $_POST when updating or inserting something in the database?
    It really doesn't matter which you use for inserting into a database as long as you validate the data and use prepared statements.
    There are 10 kinds of people in the world. Those that understand binary and those that don't.
  6. #4
  7. Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Feb 2013
    Posts
    452
    Rep Power
    11
    ok, thanks for the clarification.
  8. #5
  9. No Profile Picture
    Contributing User
    Devshed Regular (2000 - 2499 posts)

    Join Date
    Sep 2006
    Posts
    2,118
    Rep Power
    538
    Originally Posted by gw1500se
    It really doesn't matter which you use for inserting into a database as long as you validate the data and use prepared statements.
    But don't. Use POST when ever you want to change something (i.e. database, but I also use it when a session is changed for reasons other than accessing a page). Use GET when you want to get something without making a change. Browsers are built for this. Robots (at least good ones) won't attempt to change your database. User's won't accidentally bookmark adding crap to your site. 3rd party plugins will work with your site. Others will be better able to provide assistance. Probably more, but most importantly, you will generally be a happier person.

    Comments on this post

    • derplumo agrees : Good explanation, and who doesn't want to be a happier person :)
  10. #6
  11. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jul 2014
    Posts
    2
    Rep Power
    0
    you can use $_REQUEST var)

    Comments on this post

    • gw1500se disagrees : Bad advice. $_REQUEST should not be use for anything.
  12. #7
  13. No Profile Picture
    Contributing User
    Devshed Loyal (3000 - 3499 posts)

    Join Date
    Dec 2004
    Posts
    3,082
    Rep Power
    379
    NEVER EVER use $_REQUEST.. it can open up hacking possibilities..
  14. #8
  15. Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Feb 2013
    Posts
    452
    Rep Power
    11
    I already thought so

    What possibilities are those?
  16. #9
  17. No Profile Picture
    Contributing User
    Devshed Regular (2000 - 2499 posts)

    Join Date
    Sep 2006
    Posts
    2,118
    Rep Power
    538
    Originally Posted by derplumo
    I already thought so

    What possibilities are those?
    Always know where your data is coming from.

    EDIT. Also, by doing so, you are effectively using GET to update your database which we agree is not a good idea.
    Last edited by NotionCommotion; July 9th, 2014 at 01:05 PM.
  18. #10
  19. Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Feb 2013
    Posts
    452
    Rep Power
    11
    Ok, but what attacks etc. should I think of? How exactly could a hacker use this in their advantage? Then I know why it is a mistake to use it (other than the EDIT part of your anser).
  20. #11
  21. No Profile Picture
    Contributing User
    Devshed Loyal (3000 - 3499 posts)

    Join Date
    Dec 2004
    Posts
    3,082
    Rep Power
    379
    just google it, the main thing is it allows anything to be used for anything.. like a login form with email/pass, you can use GET variables.. cookies can also be manipulated.. basically you want to restrict the data source... it a bit like if there is a room with one door and there is a flood, you can probably close one door.. but if room has 5 or 6 doors, how will you close all 5 or 6 at the same time?
  22. #12
  23. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jul 2014
    Location
    Birmingham, UK
    Posts
    4
    Rep Power
    0
    Originally Posted by paulh1983
    NEVER EVER use $_REQUEST.. it can open up hacking possibilities..
    Never say never, just be careful with it. For example if you have a page where you want to accept either $_GET, $_POST or $_COOKIE.
  24. #13
  25. Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Feb 2013
    Posts
    452
    Rep Power
    11
    But isn't it better to use a validation to see where your data is coming from? If I have a script where I accept a $_POST and a $_GET for the same variable name ($_POST['name']) but don't check where it comes from, it might lead to storing empty or invalid data in the database.
    Need a secure login system with a password forgot? Here it is: A more advanced login system with password forgot
  26. #14
  27. Sarcky
    Devshed Supreme Being (6500+ posts)

    Join Date
    Oct 2006
    Location
    Pennsylvania, USA
    Posts
    10,884
    Rep Power
    6355
    As long as you're aware of the precedent order of the superglobals (which can be changed in php.ini) then using $_REQUEST is no more dangerous than using $a = isset($_POST['a']) ? $_POST['a'] : (isset($_GET['a']) ? $_GET['a'] : /*etc*/);

    It's usually the mark of new, inexperienced, and therefore bad coders the same way @functions() are, but if you know what you're doing and you can explain the reason behind your choice aside from "I'm lazy", then it's a fine thing to use.
    HEY! YOU! Read the New User Guide and Forum Rules

    "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -Benjamin Franklin

    "The greatest tragedy of this changing society is that people who never knew what it was like before will simply assume that this is the way things are supposed to be." -2600 Magazine, Fall 2002

    Think we're being rude? Maybe you asked a bad question or you're a Help Vampire. Trying to argue intelligently? Please read this.
  28. #15
  29. Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Feb 2013
    Posts
    452
    Rep Power
    11
    I have that declaring part only for the values that are passed on (like an item_id), but I use the $_POST version when I update or insert something in the db so I know that I use the 'good' data.
    Need a secure login system with a password forgot? Here it is: A more advanced login system with password forgot
Page 1 of 2 12 Last
  • Jump to page:

IMN logo majestic logo threadwatch logo seochat tools logo