In HTML we can send data using two different methods in a form: GET or POST. How do you know which one to use? Unfortunately, new developers can often misuse GET and POST since they can both be used for the same ends, but with different results and sometimes unexpected outcomes. In this article, I will discuss the fundamental differences between GET and POST, when to use them and best practices when using them to send data.
For the basic user, GET is form data transferred in the URL as name/value pairs. When looking at the HTML specification, GET is defined as data that is to be encoded by the browser into a URL. URL encoding is a way of formatting the query string into valid data the browser can use. If you entered the day of the week, followed by the year in a form you would probably get something like this:
There are many reasons why developers choose to use GET, and simply put, GET requests are more usable because:
- They can be cached
- They can remain the browser history
- They can be bookmarked
- They can be distributed and shared
The downsides: they can be hacked. You have to consider the security of your users when dealing with sensitive data and the possibility of transmitting that data in plain text for the whole world to see.
Aside from the ones I have listed above, there are other times you should not use GET:
- When your request contains non-ASCII characters that cannot be processed in the URL
- When using GET is that while most browsers and the RFC do not have length-related guidelines for URLs, Internet Explorer has a maximum URL length of 2,048 characters..
- When you want to hide your form implementation methods to avoid exposing hidden fields.
When processing a GET request, several things happen. The browser constructs the URL as we described above, and then processes it as if it were following a link. The browser can determine the parts of the URL and it splits it into the host and name/value pairs. It sends a GET request to the host with the name/value pairs as an argument. The server takes the name/value pairs and caches them in the browser for later use.
POST is defined as form data that is to appear in the message body, after the headers and is not visible to the user. No query string is created. The data is still send as name/value pairs but remains hidden. Since there are many considerations we have to make for sensitive data and keeping it safe on the web, POST operations will always be the better choice over GET.
The HTML specification recommends that POST be used for any kind of operating such as updating data, ordering a product or sending e-mail. If the service is associated with the processing of a form that has side effects or changes the state of the application, for example the modification of a database, you should be using POST.
POST is ideally used for sensitive data and unsafe actions because the data is not transferred openly. When a POST request is made to the server, the server receives the incoming POST message, retrieves the name/value pairs from the message body and caches the data to the server. This data can be used as long as the session remains active. Once the session is terminated on the server, the POST data will be destroyed with it.
Along with what I have already talked about above, here are some reasons when you would want to use POST:
- You don’t want the information in the URL being transferred to third-parties (like advertisers)
- You want to send large chunks of data
- You don’t want users to be able to tamper with the form data
The fundamental difference between GET and POST is that they respond to different HTTP requests in a different manner, and produce different results, as defined in the HTTP specifications. When determining which one to use, you should examine whether or not the data needs to be safeguarded or if it is OK to send it via plain text. Remember that actions that can change the state of the application such as database inserts or changes to files should be done via POST in order to protect the data that will be interacting with your system. GET should only be used in times when the data cannot affect the system such as a search box or email form.
Hopefully this article has helped you understand the difference between GET and POST and you are now better prepared to write applications using the appropriate method for sending data.