Get &amp; Post

Get & Post

Jason_Batten

Hey all,

I know generally POST is better for security but I'm just a little confused on which is best to use here. I was mucking around trying to get a random script to work. Now I have questions 😕

If I use the GET method in the script below I don't need to write the complete URL in the action field. Naturally the code works as expected with a url of page.php?display=show_yes or no

<?php

if ($_GET['display'] == 'show_yes')
{
  echo '<p>Success, showing the text!</p>';
}

if ($_GET['display'] == 'show_no')
{
  echo '<p>Nope, not showing the text!</p>';
}

?>

<form name="yes" method="get" action="page.php?display">
<input type="hidden" name="display" value="show_yes">
<a href ="#" onclick='document.yes.submit();'>submit</a>
</form>
<br>
<form name="no" method="get" action="page.php?display">
<input type="hidden" name="display" value="show_no">
<a href ="#" onclick='document.no.submit();'>submit2</a>
</form>

Now if I use the POST method I must write the full URL in the action field. If I don't it just displays the URL as page.php?display

<?php

if ($_POST['display'] == 'show_yes')
{
  echo '<p>Success, showing the text!</p>';
}

if ($_POST['display'] == 'show_no')
{
  echo '<p>Nope, not showing the text!</p>';
}

?>

<form name="yes" method="POST" action="page.php?display">
<input type="hidden" name="display" value="show_yes">
<a href ="#" onclick='document.yes.submit();'>submit</a>
</form>
<br>
<form name="no" method="POST" action="page.php?display">
<input type="hidden" name="display" value="show_no">
<a href ="#" onclick='document.no.submit();'>submit2</a>
</form>

It's 5:12am and I haven't had any coffee I don't know what I'm trying to ask but what the hell is the difference? The script is simple but would it matter when displaying information or something?

Cheers

rachel2004

Not sure what you're trying to do, but as far as the post method, you can drop the "display" part from the action string:

<form name="yes" method="POST" action="page.php">

If the page that you are submitting to is the same as the page holding the HTML form, this will also work:

<form name="yes" method="POST" action="<?php echo $_SERVER['PHP_SELF']; ?>">

I'm not sure if I answered your question, though.

Jason_Batten

Thanks for your reply! Let's just fill this topic up with GET & POST information shall we!

BUT JavaScript doesn't like it when you take away ?display from the POST methods action in the above script, try it out 😉

This next code is easy enough to read. There are NO forms involved unlike the previous script so this is formless and JavaScriptless too. The GET method is used to display the extra text and works. The POST method is used to display the plus text and doesn't work. Is this because there is a lack of a FORM? does this mean you don't need a form for get?

<?php

if ($_GET['display'] == 'extra')
{
  echo '<p>EXTRA!</p>';
}

if ($_POST['display'] == 'plus')
{
  echo '<p>PLUS!</p>';
}

?>

<a href="page2.php?display=extra">click here</a>
<br>
<a href="page2.php?display=plus">click here2</a>

Hope this code helps people, it's helping me! Although the question is about security, are there security ricks with this new script? 😕

rachel2004

Originally posted by NetNerd85
The POST method is used to display the plus text and doesn't work. Is this because there is a lack of a FORM? does this mean you don't need a form for get?

You are correct in your guess. GET can work from just a hyperlink, where POST requires that you pass it's values with an HTML form.

The security risk between the two comes from the fact that a user can modify the string that is displayed in the URL. It's okay to use GET, but don't use it to pass sensitive information (eg. passwords, credit card numbers, etc.). Use POST over SSL in those instances.

Jason_Batten

Thanks Rachel for the information about Security!

I mainly looked into all of this for my CMS. I wanted to use the one php page to list, create and edit articles without having a huge page with all those functions on it. I currently have a seperate page for editing articles but now I don't need one 😃

PHP is simply amazing and definitely dynamic! It is both easy and difficult. I could have wrote out all the code in my first script but the second script does the same thing with less coding.