Page 1 of 1

Get & Post Methods: How to & why. Rate Topic: ***** 2 Votes

#1 no2pencil  Icon User is offline

  • Head MFIC
  • member icon

Reputation: 5063
  • View blog
  • Posts: 26,437
  • Joined: 10-May 07

Posted 23 October 2007 - 09:54 AM

Get & Post Methods: How to & why.

The GET method is used to collect values from a form.

Get method example :
<form action="signin.php" method="get">
  First Name: <input type="text" name="Fname" />
  Last Name: <input type="text" name="Lname" />
  <input type="submit" />
</form>




Once the submit button is pressed by the user, the form will collect the values & send them along with the url.
You'll end up with something like this:

Quote



The signin page will actually "Get" the values from the url.

Since the information sent from a form with the GET method will be displayed in the browser's address bar, it is visible to everyone.
It also has limits on the amount of information to send. Its max is 100 characters.

The $_GET variable is an array of variable names and values sent by the HTTP GET method.

Using our example from above, $_GET would contain the following:

<?php

if(isset($_GET['Fname'])) {
  $Fname=$_GET['Fname'];
}
else {
  echo "Fname was not set in the form\n";
}
if(isset($_GET['Fname'])) {
  $Fname=$_GET['Fname'];
}
else {
  echo "Fname was not set in the form\n";
}

?>





The Post method is used to send values from a form.

Post method example :
<form action="signin.php" method="post">
  First Name: <input type="text" name="Fname" />
  Last Name: <input type="text" name="Lname" />
  <input type="submit" />
</form>




Once the submit button is pressed by the user, the form will collect the values & send them invisible to others.
As well, the Post method has no limits on the amount of information to send.

In our example above, the signin page will actually have the values posted, invisible to any user. The $_POST variable catches the form data,
& the values can be retrieved using the following:

<?php

if(isset($_POST['Fname'])) {
  $Fname=$_POST['Fname'];
}
else {
  echo "Fname was not set in the form\n";
}
if(isset($_POST['Lname'])) {
  $Lname=$_POST['Lname'];
}
else {
  echo "Lname was not set in the form\n";
}

?>



Security:
It is important to note that you never want to directly work with the $_GET & $_POST values. Always send their value to a
local variable, & work with it there. There are several security implications involved with the values when you directly access (or
output) $_GET & $_POST.

Security Tip 1: Strip the HTML & PHP content.
This can be done easily with the strip_tags() command. The strip_tags() command simply removes HTML and PHP tags from a string,
& returns only its true text value. The reason for this is simple. You don't want someone to input PHP code that will execute
when your script fires off. For example :

<?php

if(isset($_POST['Fname'])) {
  $Fname=$_POST['Fname'];
}
else {
  echo "Fname was not set in the form\n";
}
if(isset($_POST['Lname'])) {
  $Lname=$_POST['Lname'];
}
else {
  echo "Lname was not set in the form\n";
}

if(isset($Fname)) {
  echo strip_tags($Fname) " was passed from the form\n";
}
	
?>



This works for most cases, but there are also ways of outputting the HTML code without allowing it to execute.

Security Tip 2: Don't trust the $_GET content
Rather than taking the user for their word, actually test the contents of $_GET before using it. A good example of this would be
parsing the contents through a switch/case. In a situation where you might be uploading (or loading) a file:

<?php

if(isset($_GET['file'])) {
  $Fname=$_GET['file'];
  
  switch ($_GET['file']) {
	case "home.html":
	  $file = "home.html";
	  break;
	case "main.html":
	  $file = "main.html";
	  break;
  }
  
  fopen($file,"r") {
	...
  }
}

?>



This is also safe practice when running system commands.

<?php
if (isSet($_POST['host'])) {
  system("ping " . $_POST['host]);
}

?>



If a user was to enter "; rm -rf /", then $_POST would pass exactly that, & your system would execute

www@host$ping; rm -rf /

An example of checking the input for the preceding would be to use the strpos command. It will check for a string within a string.

<?php

if(isset($_POST['host'])) {
  $host=$_POST['host'];
  
  if (strpos($host," rm ")) { 
	echo "Invalid option";
  }
  if (strpos($host,"-rf")) { 
	echo "Invalid option";
  }
  if (strpos($host,";")) { 
	echo "Invalid option";
  }
}

?>



Security Tip 3: Encrypt/Hash your sensitive data.
If you are going to be passing passwords or other sensitive information through your $_GET & $_POST variables, create an md5
hash to offer another layer of protection. It's above this tutorial, but you should also salt hashes, & or encrypt the data.

<?php
if(isset($_POST['password'])) }
	$pass = md5($_POST['password']);
}
?>



The md5() function will convert the text passed into it, into a 32 character long hash. Combine this with a one-way salt, & you have
got yourself a pretty secure password.

Security Tip 4: $PHPSELF can be over written; check the hardened php value

<?php
if(isset($_SERVER['REQUEST_URI'])) }
	$page = $_SERVER['REQUEST_URI'];
	if($page != $PHPSELF) {
	  echo "This is not the beginning page!\n";
	}
	else ...
}
?>



Security Tip 5: Use the SSL
Because $_POST values are not stored in the history as they are with $_GET, it is more secure. However, this should not allow you to
sleep well at night. $_POST over SSL is much more secure because the content is encrypted at the Server end to Browser end. Any
traffic intercepted along the middle, will be encrypted garbage, & useless without the SSL keys. If SSL is available to you, use it!

Overview:
Since the Get method posts values in the url, it should never be used when sending passwords or other sensitive information.
On the other hand, because the variables are displayed in the URL, it is possible to bookmark the page. With Post however, the variables
are not displayed in the URL, making it impossible possible to bookmark the page. Unlike Get, with Post your variables have no length limit.

This post has been edited by no2pencil: 17 September 2013 - 12:22 PM


Is This A Good Question/Topic? 2
  • +

Replies To: Get & Post Methods: How to & why.

#2 aceofspades686  Icon User is offline

  • D.I.C Regular
  • member icon

Reputation: 6
  • View blog
  • Posts: 334
  • Joined: 08-October 07

Posted 26 October 2007 - 03:57 AM

Nicely done, I had been curious about quiet a few of these things for awhile now and couldn't really find much on them. (Granted I didn't dig too hard, but still).
Was This Post Helpful? 0
  • +
  • -

#3 1lacca  Icon User is offline

  • code.rascal
  • member icon

Reputation: 44
  • View blog
  • Posts: 3,822
  • Joined: 11-August 05

Posted 26 October 2007 - 04:08 AM

Quote

Since the information sent from a form with the GET method will be displayed in the browser's address bar, it is visible to everyone.
It also has limits on the amount of information to send. Its max is 100 characters.

What limits the get to 100 characters? Although there is a limit, it is much higher. Looking at this article I think 1-2000 is technically possible (although probably it is probably not needed, and definitely not 'nice')
Anyway, nice tutorial, I like it!
Was This Post Helpful? 0
  • +
  • -

#4 no2pencil  Icon User is offline

  • Head MFIC
  • member icon

Reputation: 5063
  • View blog
  • Posts: 26,437
  • Joined: 10-May 07

Posted 26 October 2007 - 05:12 AM

View Post1lacca, on 26 Oct, 2007 - 04:08 AM, said:

Quote

Since the information sent from a form with the GET method will be displayed in the browser's address bar, it is visible to everyone.
It also has limits on the amount of information to send. Its max is 100 characters.

What limits the get to 100 characters? Although there is a limit, it is much higher. Looking at this article I think 1-2000 is technically possible (although probably it is probably not needed, and definitely not 'nice')
Anyway, nice tutorial, I like it!

Arg, you got me! I had found that limitation & was going to double check it before posting it. Forgot to do so. Sorry!
Was This Post Helpful? 0
  • +
  • -

#5 ahmad_511  Icon User is offline

  • MSX
  • member icon

Reputation: 131
  • View blog
  • Posts: 722
  • Joined: 28-April 07

Posted 28 October 2007 - 02:56 PM

Quote

Security:
It is important to note that you never want to directly work with the $_GET & $_POST values.

Security tips are wonderfull :^:
Was This Post Helpful? 0
  • +
  • -

#6 GHY  Icon User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 1
  • Joined: 10-April 08

Posted 10 April 2008 - 12:59 PM

Nice tutorial and thanks for the security tips.
Could you please give me more information on security tip #5 and how to post over SSL? We do have a security cert on our server.

Thank you!
Was This Post Helpful? 0
  • +
  • -

#7 no2pencil  Icon User is offline

  • Head MFIC
  • member icon

Reputation: 5063
  • View blog
  • Posts: 26,437
  • Joined: 10-May 07

Posted 10 April 2008 - 01:15 PM

SSL is handled by the web server. When a request is made on the SSL port (usually 443), the web server will respond with the public key, & a private key is created. The private key is good only for that one viewer, as one is generated for each viewer. These 2 keys are what are used to encrypt the traffic. Once the data reaches PHP, it's decrypted. So all SSL layer traffic happens above $_POST & $_GET (as well as anything else PHP related), so there is (to my knowledge on the subject) nothing different required from the developer.
Was This Post Helpful? 0
  • +
  • -

#8 sfw  Icon User is offline

  • New D.I.C Head

Reputation: 1
  • View blog
  • Posts: 27
  • Joined: 24-April 08

Posted 30 April 2008 - 12:16 PM

thanks very much. very helpful tutorial.



View Postno2pencil, on 10 Apr, 2008 - 01:15 PM, said:

SSL is handled by the web server. When a request is made on the SSL port (usually 443), the web server will respond with the public key, & a private key is created. The private key is good only for that one viewer, as one is generated for each viewer. These 2 keys are what are used to encrypt the traffic. Once the data reaches PHP, it's decrypted. So all SSL layer traffic happens above $_POST & $_GET (as well as anything else PHP related), so there is (to my knowledge on the subject) nothing different required from the developer.

Was This Post Helpful? 0
  • +
  • -

Page 1 of 1