3

Is there a difference if a parameter of a POST-form is placed in the query string:

<form action="mysite.com/index.php?myparam=myvalue">
    ...more inputs here
</form>

and placing it as a hidden input?

<form action="mysite.com/index.php">
    <input type="hidden" value="myvalue">
    ...more inputs here
</form>

I'm using Joomla, but it's totally unrelated actually. I see that there's a bit of "here and there" in their tutorials, but does it actually matter? What are the implications if I use either one?

NOTE: I forgot to place action=post in the forms which has changed the question totally. however, with the arrival of interesting answers which answered more than just my question, I decided to leave them as is.

Improve this question
0

3 Answers 3

Reset to default
5

Yes, there is a difference, technically and conceptually. The way that difference affects you depends on the application server that handles the request (well, and on your preferences, of course).

Technical difference:

In most application servers, the source of a parameter (URL or FORM) determines where they end up. In PHP, url parameters go in the $_GET and form fields in the $_POST superglobals, respectively. If you don't care about the technical difference, there is a $_REQUEST superglobal for your convenience.

Conceptional difference:

It is most logical to make a difference between two types of request parameters:

  • Such that are required to render a page, i.e. they don't change anything in the database if you send the request again.
  • Such that change the database, i.e. are destructive (they are the reason why browsers ask if you are okay with posting a page again if you hit refresh).

The former ones are called idempotent and should be transferred via GET. A good example would be a search string or a record ID. No matter how often your hit refresh, the database stays untouched.

The other kind of parameter is data that should be stored in the DB. It would be destructive in the sense that it actually changes database contents. These parameters should be transferred via POST.

By the way, this is also a good way to decide if your form should be method="GET" or method="POST": Whenever form input is idempotent on the database, use a GET form. For example a user search form should be GET, a user preferences form should be POST.

Now you could argue that in your case the record ID is idempotent, but the other bits of information in your form are not. In this case I find it most idiomatic to use

<form action="mysite.com/index.php?id=1234" method="POST">
    <!-- ...more inputs here -->
</form>

since a GET mysite.com/index.php?id=1234 would request that very record.

There is no need to do it that way, though - of course you can post the ID as a hidden input.

Two things you should be aware of, though:

  • In this case the HTTP server logs would not show evidence of which record the user posted to (if you care for that).
  • This kind of separation only works for POST forms. GET forms ignore the parameters in action attribute, you must specify all of them in as hidden input fields.
Improve this answer
Sign up to request clarification or add additional context in comments.

6 Comments

1. $_REQUEST superglobal for your INconvenience. 2. for the POST forms the query string doesn't matter, as you have to do a GET redirect anyway.
@Col.Shrapnel 1. This depends on your preference. 2. By no means you have to do a GET redirect.
it is matter of sane design, not "preference".
@Col.Shrapnel This may be so, but _REQUEST is a regular part of PHP, it is not depracated and I mentioned it because it was logical to mention it. Discussing its sanity in is somewhat besides the point of the question.
it is point of the answer. $_REQUEST being the same mess as request variables in the global scope. And a consequence of the mess in the developer's head, when he have no idea where his data coming from.
|
3

for the POST form there is no difference.
for the GET form the entirely new query string would be composed of the form fields, eliminating all existing values - so, never use query string for the GET forms, use hidden fields instead.

Improve this answer

5 Comments

not that important. everyone will learn that as soon as they try to use query string with the GET form - not a big deal.
so you mean that if i use GET for my forms, anything in the query string gets discarded and only the form fields get through? and about what the other guy commented, is it true you can access a POST query string using $_GET[]?
@fskreuz - the other answer didn't say you can access POST data using GET. He was saying that if the form had method=post and a querystring for action=site.php?querystring then you would need to parse them separately using $_POST and $_GET.
@fskreuz what about writing a test form and seeing it with your own eyes? it will take you less writing than this comment. And there is no such thing like POST query string. But query string only, which being part of the uri section of the HTTP request.
@Col.Shrapnel i apologize for that, i though i had typed method=post in my question. and chrome debugger separates the values as form data which are the field values and query string parameters which is the ones in the form action when submitting a form - hence the POST query string.
1

There IS a difference because the GET parameters passed to the action attribute are dismissed. You should use hidden fields.

If you specify the method attribute in your form and set its value to "POST", then you will have to parse both the GET and POST parameters.

I used the following file to test (name it "testget.php"):

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
    <head>
        <title>Test GET</title>
    </head>
    <body>
        <p>
            <?php
                if( ! empty( $_GET ) )
                {
                    print_r( $_GET );
                }
                if( ! empty( $_POST ) )
                {
                    print_r( $_POST );
                }
            ?>
        </p>
        <p>No method attribute</p>
        <form action="testget.php?foo=bar">
            <input type="hidden" name="bar" value="foo" />
            <input type="submit" value="Submit" />
        </form>
        <p>method="get"</p>
        <form action="testget.php?foo=bar" method="get">
            <input type="hidden" name="bar" value="foo" />
            <input type="submit" value="Submit" />
        </form>
        <p>method="post"</p>
        <form action="testget.php?foo=bar" method="post">
            <input type="hidden" name="bar" value="foo" />
            <input type="submit" value="Submit" />
        </form>
    </body>
</html>

Output:

No method attribute:Array ( [bar] => foo )

method="get":Array ( [bar] => foo )

method="post": Array ( [foo] => bar ) Array ( [bar] => foo )
Improve this answer

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.