The sudden video interview caught me off guard. I tried to search for the dusty knowledge in my mind but found nothing. So after reviewing it, I recorded it, hoping to help you who read this blog.
The first is the most familiar one, which is the "answer" given by W3School:
GET
Note that the query string (name/value pair) is sent in the URL of the GET request:
/test/demo_form.php?name1=value1&name2=value2
- GET requests can be cached
- GET requests remain in the browser history
- GET requests can be bookmarked
- Do not use GET requests when handling sensitive data
- GET request has a length limit
- GET request is only used to request data (no modification)
POST
POST is used to send data to the server to create/update resources.
The data sent to the server via POST is stored in the request body of the HTTP request
POST /test/demo_form.php HTTP/1.1
Host: w3schools.com
name1=value1&name2=value2
- POST requests are never cached
- POST requests will not remain in the browser history
- POST request cannot add bookmark
- POST request has no limit on data length
This standard answer from W3School elaborates on the difference between the two, but it is not enough.
First of all, we need to learn a term called " idempotent ". If we say that an HTTP method is idempotent , it means that the same request is executed once and executed multiple times in succession. In other words, Idempotent methods should not have side effects. Under the condition of correct implementation, GET, HEAD, PUT, DELETE and other methods are all idempotent , but the POST method is not. All safe methods are also idempotent.
Idempotence is only related to the actual status of the back-end server, and the status code received for each request is not necessarily the same. For example, the first call to the DELETE method may return 200, but subsequent requests may return 404. The implication of DELETE is that developers should not use the DELETE method to implement a RESTful API with the function of deleting the last entry.
GET /pageX HTTP/1.1Is idempotent. Called multiple times in a row, the results received by the client are the same:
GET /pageX HTTP/1.1
GET /pageX HTTP/1.1
GET /pageX HTTP/1.1
GET /pageX HTTP/1.1
POST /add_row HTTP/1.1Not idempotent. If it is called multiple times, multiple rows of records will be added:
POST /add_row HTTP/1.1
POST /add_row HTTP/1.1 -> Adds a 2nd row
POST /add_row HTTP/1.1 -> Adds a 3rd row
DELETE /idX/delete HTTP/1.1It is idempotent, even if the status codes received between different requests are different:
DELETE /idX/delete HTTP/1.1 -> Returns 200 if idX exists
DELETE /idX/delete HTTP/1.1 -> Returns 404 as it just got deleted
DELETE /idX/delete HTTP/1.1 -> Returns 404
So it's not a question of which is more secure, POST or GET, their uses are different:
GET is used to view some content without changing it, or to retrieve remote data and request the specified resource
POST is used to change some content, that is, submit processing data to the identified resource
For example, the search page should use GET, and the password change form should use POST.
The HTTP/1.1 specification (RFC 2616) section 15 Security Considerations explains why only GET should be used to retrieve data:
Authors of services which use the HTTP protocol SHOULD NOT use GET based forms for the submission of sensitive data, because this will cause this data to be encoded in the Request-URI. Many existing servers, proxies, and user agents will log the request URI in someplace where it might be visible to third parties. Servers can use POST-based form submission instead
The general meaning is as follows: Authors using HTTP protocol should not use GET to submit sensitive data, because this will cause the data to be encoded in the request URI. Many existing servers, proxies, and user agents will be visible in some places of third parties. The server can use POST-based form submission instead.
In PHP , the concepts of the two are a bit confusing. POST requests get input from the query string and through the request body. The GET request only gets input from the query string. Therefore, we can say that POST requests are a superset of GET requests. You can use $_GET in a POST request, or even using parameters with the same name in $_POST and $_GET even means different meanings, and may even make sense.
For example, suppose you have a form for editing an article, the title ID may be in the query string, which is obtained using $_GET['id'], but suppose you want to change the title ID. The new ID will appear in the request body: $_POST['id'].
Finally, there is a very important point. When applying the GET method to an AJAX request, some browsers cache the result of the request, especially Internet Explorer. Therefore, if you use the same GET request for polling, even if the data to be queried is updated on the server side, the same result will always be returned. One way to alleviate this problem is to make each requested URL unique by appending a timestamp.
We can use the following code to achieve:
var timestamp = new Date().getTime();
url = url + '?t=' + timestamp;I was troubled by this problem in my graduation project, but I did not realize that it was caused by the idempotent nature of the GET method. Through this review, I learned the forgotten knowledge and gained new knowledge.
This blog post is more like a note, the structure is a bit messy, and it is more arbitrary. I hope it can help you who read this blog post. If you like this blog post, please give a like or one-click triple link. Thank you for your support !
Reference catalog:
StackOverflow:What is the difference between POST and GET? [duplicate]
StackOverflow:When should I use GET or POST method? What's the difference between them?
W3C:Protocol -- HTTP/1.1 RFC 2616:15 Security Considerations
W3School:HTTP Request Methods
php.net:$_POST