According to the HTTP specification, you should use the POST method when you're using the form to change the state of something on the server end. For example, if a page has a form to allow users to add their own comments, like this page here, the form should use POST. If you click "Reload" or "Refresh" on a page that you reached through a POST, it's almost always an error -- you shouldn't be posting the same comment twice -- which is why these pages aren't bookmarked or cached.
You should use the GET method when your form is, well, getting something off the server and not actually changing anything. For example, the form for a search engine should use GET, since searching a Web site should not be changing anything that the client might care about, and bookmarking or caching the results of a search-engine query is just as useful as bookmarking or caching a static HTML page.
處理表單
PHP 最強大的功能之一是它對 HTML 表單的處理能力。HTML 表單所傳回的所有項目將自動的提供給您的程式使用。更多使用表單的範例可參考來自 PHP 以外的變數一章。下面是 HTML 表單的範例:
Example #1 一個簡單的 HTML 表單
<form action="action.php" method="post"> <p>Your name: <input type="text" name="name" /></p> <p>Your age: <input type="text" name="age" /></p> <p><input type="submit" /></p> </form>
這只是一個普通的 HTML 表單。它並不包含任何特別的標籤。當使用者填好表格,按下提交鍵後,表單中的所有資料將傳給 action.php,而此檔案則有下列的內容:
Example #2 輸出表單的內容
Hi <?php echo htmlspecialchars($_POST['name']); ?>.
You are <?php echo (int)$_POST['age']; ?> years old.
此腳本的輸出樣本為:
Hi Joe. You are 22 years old.
除了 htmlspecialchars() 和 (int)的部分之外,應該很明白這個程式做了什麼。htmlspecialchars()確定 html 中特殊字元被編碼,所以其他人無法在您的網頁放入 HTML 標籤或是 Javascript。關於 age 那一欄,我們知道它是一個數值,所以可以用convert來去除任何不正確的字元。也可以使用filter擴充功能讓 PHP 自動做這些事。PHP 自動的為您設定了 $_POST["name"] 和 $_POST["age"] 兩個變數。之前,我們使用過 $_SERVER 這個 superglobal,而上述例子則為您介紹了含有所有 POST 資料的 $_POST autoglobal。請留意我們表單所使用的方法(method)是 POST。如果我們剛才使用的是 GET,那所有的表單資料將存在 $_GET 這個 superglobal 裡了。若您不想理會表單使用了哪一種方法,那您可以改為使用 $_REQUEST 這個 autoglobal。它包含了所有 GET、POST、COOKIE 和 FILE 的資料。請參考 import_request_variables() 函式。
也可以在 PHP 中處理 XForms 的輸入,儘管可能更喜歡使用長久以來支援良好的 HTML 表單。XForms 目前還不適合初學者使用,但是您可能對它感興趣。手冊中在「特點」有章節對如何處理從 XForum 接收到的資料進行了簡短的介紹。
add a note
User Contributed Notes 3 notes
sethg at ropine dot com ¶
20 years ago
Johann Gomes (johanngomes at gmail dot com) ¶
13 years ago
Also, don't ever use GET method in a form that capture passwords and other things that are meant to be hidden.
nucc1 ¶
6 years ago
worth clarifying:
POST is not more secure than GET.
The reasons for choosing GET vs POST involve various factors such as intent of the request (are you "submitting" information?), the size of the request (there are limits to how long a URL can be, and GET parameters are sent in the URL), and how easily you want the Action to be shareable -- Example, Google Searches are GET because it makes it easy to copy and share the search query with someone else simply by sharing the URL.
Security is only a consideration here due to the fact that a GET is easier to share than a POST. Example: you don't want a password to be sent by GET, because the user might share the resulting URL and inadvertently expose their password.
However, a GET and a POST are equally easy to intercept by a well-placed malicious person if you don't deploy TLS/SSL to protect the network connection itself.
All Forms sent over HTTP (usually port 80) are insecure, and today (2017), there aren't many good reasons for a public website to not be using HTTPS (which is basically HTTP + Transport Layer Security).
As a bonus, if you use TLS you minimise the risk of your users getting code (ADs) injected into your traffic that wasn't put there by you.
