0

I just wanted to know the values which I pass in URL are of Get type or Post type.

शेखर
  • 17,412
  • 13
  • 61
  • 117

2 Answers2

2

Neither or both. They are just part of the query string. Since they are part of the URI, they can appear in any kind of HTTP request.

(Some confusion might occur because PHP will populate the $_GET superglobal with them no matter what verb (GET, POST, PUT, etc) was used to make the request. Some other environments are more sensible, Perl tends to call them Query Params, ASP.NET uses Request.QueryString)

Quentin
  • 914,110
  • 126
  • 1,211
  • 1,335
  • +1 I didn't know any `$_GET` is populated with any query string params, not just those from a GET request. – Anirudh Ramanathan Jul 16 '12 at 09:38
  • it means in asp.net it is not a part of Get or Post. Is Post is more secure than Get? – शेखर Jul 16 '12 at 09:58
  • @krshekhar — "it means in asp.net it is not a part of Get or Post" — No, it means that ASP.NET doesn't use "GET" to mean "Data in the query string". Query strings can still appear in all kinds of data. – Quentin Jul 16 '12 at 09:59
  • @krshekhar — "Is Post is more secure than Get?" — POST data is less vulnerable to over-the-shoulder attacks, and is less likely to be recorded in log files. – Quentin Jul 16 '12 at 10:00
  • So Post is more secure than Request (query sting) too since it is less vulnerable and chances of XSS is less? – शेखर Jul 16 '12 at 10:15
  • @krshekhar — POST is no less vulnerable to XSS. You **cannot** trust that data from outside your system will be safe for injecting into an HTML document without being converted to HTML with `htmlspecialchars` (or being put through a filtering (on a whitelist) HTML parser). – Quentin Jul 16 '12 at 10:16
  • so it does not matter what is the method of form Get or Post both are unsecured in terms of XSS. So I can use either. In case of jqery is is same? – शेखर Jul 16 '12 at 10:42
  • Assuming you mean jQuery, then it is a JS library that you can do stuff with. Any vulnerabilities depend on what you do with it. – Quentin Jul 16 '12 at 10:44
1

The browser sends any request that contains query parameters, those query parameters populate $_GET. As @Quentin says, they need not necessarily be from a GET request.

On the other hand, A POST is made most commonly during form submission. $_POST variables are not a part of the URL, and are sent as POSTDATA.

Anirudh Ramanathan
  • 46,179
  • 22
  • 132
  • 191
  • A URL is fetched (or rather, a resource identified by a URL is fetched) for any kind of HTTP request, not just GET. – Quentin Jul 16 '12 at 09:25
  • a GET request is used to fetch an HTML page and POST is used to send data to a server-page. A POST does not fetch any data, only response headers. Am I wrong? – Anirudh Ramanathan Jul 16 '12 at 09:31
  • 1
    You are. Both GET and POST send data to the server (POST has a body as well as headers, but both body and headers contain data). The server makes an HTTP response to both. That response will usually include a document. Even when using the POST-REDIRECT-GET pattern, the response from the POST should include a document with a link (for clients that don't honour the Location header … it is quite a old bit of the specification). – Quentin Jul 16 '12 at 09:33
  • Okay. Thanks. So query parameters from any type of request made to a server will populate $_GET? – Anirudh Ramanathan Jul 16 '12 at 09:35