Which METHOD is BETTER and WHY ? (GET vs POST)

[zeeshanhashmi]

Hi People.

Here i want u people to participate in the POLL to know which METHOD is BETTER and WHY ??? GET or POST ???

Thanks

[Will Kelly]

Other. Pigeons. Much more reliable and only require seed to keep going.

[zeeshanhashmi]

is that Really an ohter option for FORM Submittion ? is yesm the please put some more detail, otherwise, I have clearly mentioned (IF ANY) means if there is not any other way then it should not be VOTED. Anyways, i can not say anything regarding yoru UNDERSTANDING. (IF ANY) !!

[mrwooster]

I have recently done some research on this and, this is what I found:

Strait from the HTML 2.0 specification

If the processing of a form is idempotent (i.e. it has no lasting observable effect on the state of the world), then the form method should be GET. Many database searches have no visible side-effects and make ideal applications of query forms.
- -
If the service associated with the processing of a form has side effects (for example, modification of a database or subscription to a service), the method should be POST

If a user submits a POST form, and then he tries to refresh, most browsers produce a warning message. This is useful if the data is added to a database or "has a lasting effect on the universe". If the data is idempotent, such as a search, you do not want browsers producing warnings all over the place and so GET is best.


To conclude - I have no real proference because I use POST or GET depending on the situation.

[AutisticCuckoo]

If the operation has side effects or the information being transferred is sensitive: POST.

If the operation is idempotent and the result should be linkable: GET.

Otherwise it doesn't matter much.

[Will Kelly]

is that Really an ohter option for FORM Submittion ? is yesm the please put some more detail, otherwise, I have clearly mentioned (IF ANY) means if there is not any other way then it should not be VOTED. Anyways, i can not say anything regarding yoru UNDERSTANDING. (IF ANY) !!

I have despatched a pigeon to answer your question.

[Will Kelly]

You , having such a good experience in this Forum (i.e. over 200 posts) I was thinking that u must be having a good knowledge of PHP and must have some MIND to think about a matter. I m sad to say that I was worng. I did not invited u specifically to join the POLL. Afterall some people requried more care becasue they donot have mind to thing or they think if they use their mind it will me consumed. I think now u should have a good understanding.

Come again?! Sorry I reserve the right to occasionally be silly in this serious, serious world. And AutisticCuckoo has answered your poll/question anyway. *stifling laughter*

[mrwooster]

Come again?! Sorry I reserve the right to occasionally be silly in this serious, serious world. And AutisticCuckoo has answered your poll/question anyway. *stifling laughter*

Here here

The world would be a very boaring place without a bit of sillyness

[r937]

hear, hear (see http://www.straightdope.com/mailbag/mhear.html)

[paulyG]

I find GET is slightly easier to debug.

Inexperienced PHP'ers will see all their vars in the url string:

index.php?name=j%20bloggs&jobttitle=tanker

I was working on a script once in which the author had this bit of code in the form elements:

<?php echo isset($debug) ? 'GET'; 'POST' ?>

Though I never used similar, I did think it was smart of him/her. I think that could be a good strategy before you go "live".

Now I just use a debug func that throws all my vars on the page, or just use the excellent:
print_r($_POST);

Another thing using GET, it reminds you just how open your code is to anyone looking, DONT call your vars the same as your table column names! It also gives you a lesson in what urlencode does.

and another thing, using GET you can just fiddle with the url and resend your form, much easier to see if your form handler is validating your input correctly.

You should mostly be using POST IMHO, it accepts far more data too.

[mrwooster]

You should mostly be using POST IMHO, it accepts far more data too.

Good point - especially if you want do do things like send emails or upload files.

[F4nat1c]

I prefer $_POST. I don't like any information being passed through pages to be visible, which $_GET does. And besides, a shorter URL is better than some long needless one:

$_POST

Code:

domain.com/login.php

$_GET

Code:

domain.com/login.php?email=uifjguifjgfugf&userid=2323&subject=jdhfudhfud

[paulyG]

I prefer $_POST. I don't like any information being passed through pages to be visible, which $_GET does.

Thats fine as long as you understand that the only level of hacker you are putting off is a "fiddler", someone who fiddles around with GET vars, because they are so used to checking their own error handling, they have started doing it on other peoples' websites...

index.php?name=j%20bloggs&jobttitle=tanker

Ohh lets try:

index.php?name=j%20bloggs&jobttitle=12345

Ohh doesnt check very much, so lets try...

index.php?name=j%20bloggs&jobttitle=;drop%20table%20users

[kandalf]

$_GET is much more insecure than $_POST, besides $_GET has a 32K size limit, basicaly for this two reasons I think $_POST is the best choice for most actions, but $_GET is a suitable for some tasks, for example building URL's dinamically for redirecting pages.
About debugging stuff, $_POST can be debugged as easy as $_GET, just try

PHP Code:

var_dum($_POST) 


Conclussion, I think $_POST is the best choice, but $_GET has to be considered for some tasks.

[bokehman]

$_GET is much more insecure than $_POST, besides $_GET has a 32K size limit, basicaly for this two reasons I think $_POST is the best choice for most actions, but $_GET is a suitable for some tasks, for example building URL's dinamically for redirecting pages.

$_POST... more secure? Care to explain that untruth in more detail? Secondly under HTTP/1.1 there is no size limit for query strings; the rfc just states that the server must be able to handle any query string that it serves.

On a side note the original post didn't mention forms, just method. Well it is possible to use all three methods (GET, POST, COOKIE) at the same time to send data from the browser to the server.

[F4nat1c]

Go to:

Predefined Variables

There isnt really much difference. It's more a matter of opinion than fact to which method you use. $_POST is 'tidyer'. I don't like long URL's.

[kyberfabrikken]

I definately prefer DELETE. It just has much more authority.

[kyberfabrikken]

There isnt really much difference. It's more a matter of opinion than fact to which method you use. $_POST is 'tidyer'. I don't like long URL's.

Seriously though. There is a semantic difference between GET and POST. See : http://www.prescod.net/rest/

[zeeshanhashmi]

Hi
as long as the URL values like
index.php?name=j%20bloggs&jobttitle=;drop%20table%20users
we can ENCRYPT the data from the source script and latter after validation (to eliminate any XSS), we can DECRYPT the Cipher back to plain. for example

"index.php?uid=zeeshan" could become "index.php?uid=6FF4439C33221ABD3FE4"

[zeeshanhashmi]

Any One Else ?????

[Will Kelly]

I'm reliably informed that someone shot my pigeon. Sorry about that.

[kyberfabrikken]

I'm reliably informed that someone shot my pigeon. Sorry about that.

An all too common fate for pigeons.

[onion2k]

I'm reliably informed that someone shot my pigeon. Sorry about that.

It was me.

Damn pigeons.

[zeeshanhashmi]

Thanks onion2k nice SHOOTING.....

[jjdave]

Thanks onion2k nice SHOOTING.....

Actually ONION2K's bullet was off course (wrong trijectory), so I had to shoot his bullet to change the path and direct it to the target, which was the pigeon.

Originally Posted by kandalf:
but $_GET is a suitable for some tasks, for example building URL's dinamically for redirecting pages

But anyway, for dynamic variables (one or more) redirecting, is there any other alternative then $_GET??? There is no way around it, is there?