Articles in Get and Post Category

Understanding Get and Post

Web forms are the main medium in web sites for sending user input to web servers. A web form contains set of fields a user can fill and submit for processing at the server. Based on the processing, user may get a response from the web server.

A common example is login pages in email services and social networks. You enter your username and password and submit the form. Then the web server processes them and shows you your default page if credentials are correct. If not, it would show you an error page.

get and post are two methods of sending data from a web form to a web server. Let’s take a simple example and understand the behavior of these two. Following is a web form (details.html) for submitting username and password (Note that we don’t execute any database queries to validate credentials).


<form name="frmLogin" method="get" action="details.php">
Username: <input type="text" name="txtUsername" />
<br /><br />
Password: <input type="password" name="txtPassword" />
<br /><br />
<input type="submit" name="btnSubmit" value="Submit" />


Following is the PHP file (details.php) that resides on the server which process submitted data in details.html.


echo 'Username : '.$_GET['txtUsername'];
echo '<br />';
echo 'Password : '.$_GET['txtPassword'];


Provided that you have setup a web server in your PC, put above two files in a folder under the web folder of your server (say http://localhost/learnphp/) and call details.html in your web browser (http://localhost/learnphp/details.html) then give some values to Username and Password fields (say Robin, robin123) and click the submit button. You would see following output.

Username : Robin
Password : robin123

Once the entered data in details.html is submitted to details.php, built-in $_GET associative array get populated taking names of the form fields as keys and their values as corresponding values. This happens because we used get for the method attribute of the form.

Similarly we can change the method to post and $_POST will get populated accordingly. Change the method attribute of frmLogin to post and then change details.php as below.


echo 'Username : '.$_POST['txtUsername'];
echo '<br />';
echo 'Password : '.$_POST['txtPassword'];


Now call details.html and submit the data just as you did above and you would see the same result.

You could see that form field names are used as keys in $_GET and $_POST. So, if you don’t mention the name attribute of a form field no $_GET or $_POST array element will be populated for that particular field.

Difference between Get and Post

When you submit the data via get method, if you observed the URL of response (at the address bar of your web browser), you could see that it’s like below.


Examine the part after detials.php. You can see that a question mark (?) immediately follows and then name and value pairs of form fields have been separated by & sign. Now in the address bar of your web browser, change the values of “txtName” and “txtPassword” to something else as below.


Then hit the Enter key. You would see that current output gets changed as below.

Username : Taylor
Password : taylor456

In the URL, you are not limited to include only the parameters that were in the web form (txtName and txtPassword). You can append new parameters or discard existing ones and include only new ones. Change the details.php as below so it lets you see what are the parameters and their values.


echo '<pre>';
echo '</pre>';


Then change the URL like below and hit Enter key.


It would give you an output like below.

array(2) {
  string(7) "Jackman"
  string(2) "37"

Now observe the URL of response when using post method. It would be like below only showing the file name where the submitted data was processed.


As shown, in addition to web forms, $_GET can be populated by passing values via the URL. You would prefer post method most of the time since often you may not like to show submitted data in the URL (like txtPassword above).

But there may be cases that you find using get makes things easier. For an example think that you are writing a program that involves user profiles. Then you can list links to user profiles as below mentioning user IDs that would be used to fetch the corresponding user profile once a link is clicked.

<li><a href="http://localhost/learnphp/profile.php?user_id=1">Robin Jackman</a></li>
<li><a href="http://localhost/learnphp/profile.php?user_id=2">Taylor Edward</a></li>

Once you write your HTML file like above, you can write profile.php using $_GET['user_id'] to fetch details of a user profile.


$_REQUEST is another built-in array and gets populated for each get or post request. So, you could write details.php as below and use it for both get and post.


echo 'Username : '.$_REQUEST['txtUsername'];
echo '<br />';
echo 'Password : '.$_REQUEST['txtPassword'];


Using $_REQUEST is not recommended most of the time since when it comes to the reliability of submitted data, you would also need to make sure that data came via the method you imposed and not via any manipulated way (For an example, even when your form’s method is post, you can still pass values via the URL to details.php and populate $_REQUEST array).

Naming is important in these three arrays. That is $_GET, $_POST and $_REQUEST should be in upper case ($_get, $_POSt and $_rEQUEST are not valid).

Form Action

As mentioned, in form’s action attribute you specify where the submitted data should go. In the examples, both details.html and details.php were in the same folder. Therefore we could give just the file name as the action. But it’s possible to specify relative URLs or completely remote URLs in action attribute.

That is in your details.html, (which’s URL is http://localhost/learnphp/details.html) form action could be pointed to as below provided that details.php resides there and doesn’t employ any mechanism to reject data submitted via other domains.

<form name="frmLogin" method="post" action="">

Security Concerns

Web forms are a main medium of sending data from a client computer to a server. Because of that they are also a victim of spamming and hacking attacks.

For an example, as shown above, it’s possible to create a form similar to your one somewhere else and point to a file in your server in the action attribute (provided that you haven’t restricted that).

This will let anyone to bypass any client side validation you have employed in your web form (often using JavaScript) and send harmful data, or they could simply turn off JavaScript in their web browser. This is preventable with CSRF tokens.

Another form of attacks is called SQL Injections where the hacker enters data in a way that once submitted web server performs database queries that reveal sensitive information like usernames and passwords.

Because of these reasons, when you create a live web application, you have to be careful and employ a good server-side validation mechanism to ensure that you receive only the expected types of data.

Where to Head from Here...
Share with Your Peers...

We Value Your Feedback...

We love to hear what you think about this article. Please provide your opinion, suggestions and improvements using following form. Note that submitted feedback is not displayed but we will get back to you if it needs a reply.