1. Technology

GET versus POST Requests on HTML Forms

Sending and Receiving Form Data


Unsafe POST form

Unsafe POST form

Screen shot by J Kyrnin

When you are submitting a form or sending data to a web server or web page, you have two methods you can use to transfer that data:

  • get
  • post

You can tell these two methods apart by looking at how the data is sent.

GET requests are sent as a query string on the URL:

GET index.html?name1=value&name2=value HTTP/1.1
Host: about.com

POST requests are sent in the body of the HTTP request:

POST /index.html HTTP/1.1
Host: about.com

What this means is that a GET request can be seen by the user because the form data is written to the URL. While POST requests are sent as part of the HTTP request and are not seen by the user directly.

These two types of requests are appropriate for different situations. Below you can read when to use GET and when to use POST in your forms.

When to Use GET Requests

GET requests should be used in “safe” actions (as defined in RFC 2616. Safe actions are ones that can be repeated without having an adverse affect. GET requests should be used when the submission of the elements will not change the state of the application. These are considered “safe” or idempotent requests. For example:

When a customer clicks on a link in an Ajax photo gallery application that advances the app to the next photo. The new photo is loaded, but is not changed. If the GET request were run 1000 times, the same photo would be loaded in the same fashion.

GET requests have the following features. They are defined in the URL field and because of that:

  • They remain in the browser history and can be accessed using the History API.
  • They can be cached, like any other URL.
  • They can be bookmarked or sent to other people.
  • They can be used anywhere there is a link.

Because of these features, you should never use a GET request to store sensitive data like passwords, credit card numbers, and identification codes.

Also, keep in mind that URLs in Internet Explorer do have length restrictions. And form data can get extensive. Form data that might be longer than 2,000 characters including the domain, file name, and data labels should be sent by POST rather than GET.

Ajax Applications and GET

Ajax applications are intended to be quick, and because POST requests are sent in two steps (headers and then data), they are slower than GET requests. So if you are using the XMLHttpRequest, you should use the GET request method.

When to Use POST Requests

You should use POST requests for actions that are “unsafe.” An unsafe action is one that can have adverse consequences if it is repeated. For example:

When a customer submits a web form to make a purchase, if they submit that form again, they could make the purchase a second time without realizing it. Browsers are required to display messages such as the one in the image above, when the POST method is used, so that customers are aware that something could happen if the request goes through a second time.

POST requests are sent in the HTTP headers and so are mostly invisible to end users. This makes POST requests ideal for sensitive data. The data is hidden and not cached. If a reader bookmarks the form results page, the data is not sent again. In fact, in most PHP forms, the form is simply displayed as though no data had been sent (because none has).

Also, because HTTP headers don't have the same types of limits as URLs, you can use POST requests for longer data fields.

©2014 About.com. All rights reserved.