Parse the difference between post and get requests

Two commonly used HTTP request methods: post and get

get: Request from the specified resource. The data length is limited (2048 characters) and can be cached and retained in the browser history, making it less secure. Not applicable when sending sensitive information such as passwords.

post: Submit data to be processed to the specified resource. The data length is unlimited, cannot be cached, cannot be saved in browser history, and is highly secure. POST is more stable and reliable than GET.

1. According to the HTTP specification, GET is used for information acquisition and should be safe and idempotent.

　(1). The so-called safe means that the operation is used to obtain information rather than modify information. In other words, GET requests should generally not have side effects. That is to say, it only obtains resource information, just like a database query. It will not modify or add data, and will not affect the status of the resource.

* Note: The meaning of security here only refers to non-modified information.

　(2). Idempotent means that multiple requests to the same URL should return the same result. Here I will explain the concept of idempotence again:

Idempotence (idempotent, idempotence) is a mathematical or computer science concept that is common in abstract algebra.
There are several definitions of idempotence:
For unary operations, if an operation is performed multiple times on all numbers in the range, the result obtained by performing the operation multiple times is the same as the result obtained by performing the operation once. , then we say that the operation is idempotent. For example, absolute value arithmetic is an example. In the set of real numbers, there are abs(a)=abs(abs(a)).
For binocular operations, it is required that when the two values ​​​​participating in the operation are equal, if the operation result is equal to the two values ​​​​participating in the operation, the operation is said to be idempotent, such as finding the The function of the maximum value is idempotent in the set of real numbers, that is, max(x,x) = x.

After reading the above explanation, you should be able to understand the meaning of GET idempotent.

But in actual application, the above two regulations are not so strict. Examples of citing other people's articles: For example, the front page of a news site is constantly updated. Although the second request returns a different batch of news, the operation is still considered safe and idempotent because it always returns the current news. Basically, if the goal is that when a user opens a link, he can be sure that the resource has not changed from his perspective.

　2. According to the HTTP specification, POST represents a request that may modify resources on the server. Continuing to quote the above example: Let's take the news website as an example. Readers' comments on the news should be implemented through POST, because after the comments are submitted, the resources of the site are different, or the resources are modified.

The above briefly talks about some principle issues of GET and POST in the HTTP specification. But in actual practice, many people do not follow the HTTP specifications. There are many reasons for this problem, such as:

　1. Many people are greedy for convenience and use GET when updating resources, because To use POST, you must go to the FORM (form), which will be a little troublesome.

2. Adding, deleting, modifying, and checking resources can actually be completed through GET/POST, and there is no need to use PUT and DELETE.

3. Another is that the early designers of the Web MVC framework did not consciously treat and design URLs as abstract resources. Therefore, a more serious problem is that the traditional Web MVC framework is basically Only supports the two HTTP methods GET and POST, but does not support the PUT and DELETE methods.

* Briefly explain MVC: MVC originally existed in the Desktop program. M refers to the data model, V refers to the user interface, and C refers to the controller. The purpose of using MVC is to separate the implementation codes of M and V, so that the same program can use different representations.

The above three points typically describe the old style (which does not strictly adhere to the HTTP specification). With the development of the architecture, REST (Representational State Transfer) now appears, a new style that supports the HTTP specification. This is not To say more, you can refer to "RESTful Web Services".

After talking about the principle issues, let’s look at the difference between GET and POST from the surface:

1. The data requested by GET will be attached to the URL After that (that is, placing the data in the HTTP protocol header), split the URL and transfer data with ?, and connect the parameters with &, such as: login.action?name=hyddd&password=idontknow&verify=%E4%BD%A0%E5%A5 %BD. If the data is English letters/numbers, send it as it is. If it is a space, convert it to +. If it is Chinese/other characters, directly encrypt the string with BASE64, and you will get something like: %E4%BD%A0%E5%A5% BD, where XX in %XX is the ASCII representation of the symbol in hexadecimal.

POST places the submitted data in the body of the HTTP package.

　2. "The data submitted by GET method can only be up to 1024 bytes. In theory, POST has no limit and can transmit a larger amount of data. The maximum is 80KB in IIS4 and 100KB in IIS5"? ? !

I transferred the above sentence from another article. In fact, it is wrong and inaccurate to say this:

　(1). First of all, "the data submitted by GET can only be up to 1024 bytes". Because GET submits data through URL, the amount of data that can be submitted by GET is directly related to the length of the URL. In fact, there is no upper parameter limit for URLs, and the HTTP protocol specification does not limit URL length. This limit is imposed by specific browsers and servers. IE's limit on URL length is 2083 bytes (2K+35). For other browsers, such as Netscape, FireFox, etc., there is theoretically no length limit, and the limit depends on the support of the operating system.

Note that this limit is the entire URL length, not just the data length of your parameter value. [See Reference 5]

　(2). Theoretically, there is no size limit for POST, and the HTTP protocol specification does not impose size limits. It is said that "POST data volume has a size limit of 80K/100K". Inaccurate, there is no limit to POST data. What is limiting is the processing capability of the server's handler.

For ASP programs, the Request object has a data length limit of 100K when processing each form field. But if you use Request.BinaryRead, there is no such restriction.

Extended from this, for IIS 6.0, Microsoft has increased restrictions for security reasons. We also need to pay attention to:

1). The default ASP POST data volume of IIS 6.0 is a maximum of 200KB, and the limit of each form field is 100KB.
　 2). The default maximum size of uploaded files in IIS 6.0 is 4MB.
　 3). The default maximum request header of IIS 6.0 is 16KB.
　IIS 6.0 did not have these restrictions before. [See reference 5]

So the 80K and 100K above may be just the default values ​​(note: I have not confirmed the parameters of IIS4 and IIS5), but they can definitely be set by yourself. Since each version of IIS has different default values ​​for these parameters, please refer to the relevant IIS configuration documentation for details.

　3. In ASP, the server uses Request.QueryString to obtain GET request parameters, and Request.Form to obtain POST request parameters. In JSP, use request.getParameter(\"XXXX\") to obtain it. Although there is also a request.getQueryString() method in jsp, it is more troublesome to use. For example: pass a test.jsp?name=hyddd&password=hyddd, use request.getQueryString() gets: name=hyddd&password=hyddd. In PHP, you can use $_GET and $_POST to obtain data in GET and POST respectively, while $_REQUEST can obtain data in both GET and POST requests. It is worth noting that there are hidden dangers in using request in JSP and $_REQUEST in PHP. I will write an article to summarize this next time.

　4.POST is more secure than GET. Note: The security mentioned here is not the same concept as the "security" mentioned in GET above. The meaning of "security" above is only that no data modification is made, and the meaning of security here is the true meaning of Security. For example: when submitting data through GET, the username and password will appear in clear text on the URL, because (1) the login page may be Browser cache, (2) other people view the browser history, then others can get your account and password. In addition, using GET to submit data may also cause Cross-site request forgery attacks.

To summarize, Get is a request to the server for data, while Post is a request to submit data to the server. In FORM (form), the Method defaults to "GET". In essence, GET and POST only have different sending mechanisms, not one is taken and the other is sent!

The above is the detailed content of Parse the difference between post and get requests. For more information, please follow other related articles on the PHP Chinese website!