Web Conference 2005
Writing PHP for ITS/ASET Web services
The POST Method
|
|
Web Conference 2005Writing PHP for ITS/ASET Web servicesThe POST Method |
|
| <- Back - Basic Web Form | | | Up | | | Email Submission Form - Next -> |
Here is the same form as used in the last exercise but using the POST method:
You may convert a form to use the POST method by simply setting the method attribute of the <form> tag as follows:
Before:
<form action="form.php" method="GET"> What is your favorite color: <input type="text" name="color"> <input type="submit"> </form>
After:
<form action="form.php" method="POST"> What is your favorite color: <input type="text" name="color"> <input type="submit"> </form>
Just as you may read GET parameters (CGI parameters sent via
the GET method) from the $_GET global array, you may read
POST parameters via the $_POST global array.
You may also read both GET and POST parameters from the
$_REQUEST global array.
To read the known parameter color, use the following code:
<?php
# Prevent XSS through escaping of HTML special chars:
$color = htmlspecialchars($_REQUEST['color']);
echo "<p>Your favorite color is " . $color . "</p>\n";
if( isset( $_POST['color'] ) ){
echo "<p>Since you used the POST method, I know you sent "
. $color . " via the $_POST global array</p>\n";
}
?>
To see all of the POST parameters, use:
<table border=1>
<tr><th>Parameter Name</th><th>Value</th></tr>
<?php
foreach ( $_POST as $param_name => $value ) {
echo "<tr> <td>" . htmlspecialchars($param_name) . "</td> <td>" . htmlspecialchars($value) . "</td> </tr>\n";
}
?>
</table>
Which appears on a page as:
| Parameter Name | Value |
|---|
Or you may use a shortcut:
<?php
echo htmlspecialchars( print_r($_POST, true) );
?>
Which appears on a page as:
Array ( )The second most popular HTTP protocol request method is the POST method. It differs from the GET method in the following ways:
| GET | POST | |
|---|---|---|
| Query String is placed | In the URL (HTTP request header) | In the HTTP request body |
| Parameters may be sent via a plain HTML Web form | Yes | Yes |
| Parameters may be sent via JavaScript or other client side scripting | Yes | Yes |
| Parameters may be sent over a redirect | Yes | No (some browsers may resend POST data after being redirected) |
| Parameters may be sent via a plain hyperlink | Yes | No |
| Parameters may be bookmarked | Yes | No |
| Parameters will be seen in the browser history | Yes | No (some browsers may allow resending of POST data during the same session) |
| Parameters will be seen in the server logs | Yes | No |
| Parameters are safe for passwords and other sensitive data | No | Yes (assuming other security precautions are taken) |
| Parameters are safe for large amounts of data (>1KB) | No | Yes |
| Parameter names and values are encoded making it safe for binary data | Yes | Yes |
| Parameters may be read from the PHP arrays | $_GET and $_REQUEST | $_POST and $_REQUEST |
To get a better understanding on the HTTP protocol and CGI parameter passing, visit my Web 2004 tutorial on Perl and CGI lessions on:
How Hyper-Text Transfer Protocol (HTTP) Works - a simple illustration of how a Web browser requests a page from a server.
How CGI over HTTP Conversations Work - an illustration of how CGI parameters are sent over HTTP.
| <- Back - Basic Web Form | | | Up | | | Email Submission Form - Next -> |
|
If you have any questions, feel free to ask me. Content by: Jeff D'Angelo <jcd@psu.edu> © 2005 Last update on: Mon Jun 29, 2009, 12:06:28 AM |
|