I understand that I am able to use the POST method for URL parameters to display data according to a specific variable, I know how to make use of the GET method - but I am told that the POST method can be used to hide the part of the URL that is like this.
我明白我能够使用POST方法为URL参数显示根据特定变量的数据,我知道如何使用GET方法 - 但我被告知POST方法可以用来隐藏部分这样的URL。
/data.php?parameter=1234
What is the actual difference of the two methods in terms of URL parameters?
在URL参数方面,这两种方法的实际区别是什么?
Below is some code that fetches data from a database according to the id of a specific link
下面是一些根据特定链接的ID从数据库中提取数据的代码
<?php
//This includes the variables, adjusted within the 'config.php file' and the functions from the 'functions.php' - the config variables are adjusted prior to anything else.
require('configs/config.php');
require('configs/functions.php');
//This is the actual interaction with the database, according to the id.
$query = mysql_query("SELECT * FROM table WHERE id=" .$_GET['id'] . ";") or die("An error has occurred");
//This re-directs to an error page the user preventing them from viewing the page if there are no rows with data equal to the query.
if( mysql_num_rows($query) < 1 )
{
header('Location: 404.php');
exit;
}
//Here each cell in the database is fetched and assigned a variable.
while($row = mysql_fetch_array($query))
{
$id = $row['id'];
$title = $row['title'];
$month = $row['month'];
$day = $row['day'];
$photo = $row['photo'];
$text = $row['text'];
}
?>
On a separate page I generate links to the data.php file according to the ID like so:
在一个单独的页面上,我根据ID生成指向data.php文件的链接,如下所示:
<a href="post.php?id=<?php echo $content['id']; ?>"><?php echo $content['title']; ?></a>
Forgetting that there are potential SQL injections that can occur through the above code, how would I go about making use of the POST method in order to hide the URL parameters, or at least not display them like this:
忘记通过上面的代码可能发生的SQL注入,我将如何使用POST方法来隐藏URL参数,或者至少不显示如下:
http://example.com/data.php?id=1
6 个解决方案
#1
2
In order to use POST, you will need to use a <form> tag, and depending on how you are pulling up these URLs, it could be easier to use javascript to help out. Here's a basic example:
为了使用POST,您需要使用
<form method="post" action="data.php">
<input type="hidden" name="parameter" value="1234" />
<input type="submit" value="Go" />
</form>
The Go button would POST the form data, and now in data.php you will be able to retrieve the value from $_POST['parameter']. Note that when using POST, you will probably want to redirect (HTTP 302) back to a page so that when a user hits the back button, the browser doesn't prompt to resubmit the form.
Go按钮将POST表单数据,现在在data.php中,您将能够从$ _POST ['parameter']中检索值。请注意,使用POST时,您可能希望将(HTTP 302)重定向回页面,以便当用户点击后退按钮时,浏览器不会提示重新提交表单。
Using javascript, you could set the parameter input to a different value before posting the form.
使用javascript,您可以在发布表单之前将参数输入设置为不同的值。
#2
2
Use method "POST" for your form. I had the same issue, just adding POST to the form removed the parameters from the URL
为表单使用方法“POST”。我遇到了同样的问题,只需在表单中添加POST即可从URL中删除参数
<form id="abc" name="abc" action="someaction.php" method="post">
<input type="text" id="username" name="username"/>
<input type="password" id="password" name="password"/>
<input type="submit" id="submit" name="submit" value="submit"/>
</form>
#3
0
To POST values, a browser would have to use a form with method="post", or javascript simulating a form. Various developer tools (fireug, etc) can convert GET forms to POST forms, but generally, a form is what is required.
要POST值,浏览器必须使用带有method =“post”的表单,或者模拟表单的javascript。各种开发人员工具(fireug等)可以将GET表单转换为POST表单,但通常,表单是必需的。
In theory GET requests should not have any side effects, and "should" be consistent from request to request. That is, the server should return the same content. In todays world of just about everything being dynamic, this might be of little practical design significance.
理论上,GET请求不应该有任何副作用,并且“应该”从请求到请求是一致的。也就是说,服务器应该返回相同的内容。在当今几乎所有动态的世界中,这可能具有很小的实际设计意义。
#4
0
Whether you use GET or POST, the parameters will appear in $_REQUEST. The critical difference is that using POST allows the variables NOT to appear in URL history. This decreases the visibility of data such as passwords which you do not want to show up in URL history. To use POST instead of GET, simply produce <form method="POST" ...> in the document.
无论您使用GET还是POST,参数都将显示在$ _REQUEST中。关键的区别在于使用POST允许变量不出现在URL历史记录中。这会降低您不希望在URL历史记录中显示的密码等数据的可见性。要使用POST而不是GET,只需在文档中生成
Even better is to store sensitive values (like user ids) in cookies, so that they don't appear in $_REQUEST at all. Since the contents of cookies are provided in extra HTTP request headers, not in the content, they are generally not stored as part of the history.
更好的方法是在cookie中存储敏感值(如用户ID),这样它们就不会出现在$ _REQUEST中。由于cookie的内容是在额外的HTTP请求标头中提供的,而不是在内容中提供的,因此它们通常不会作为历史记录的一部分存储。
#5
0
In order to use POST instead of GET, you would need to use an HTML form tag in your html, like so:
为了使用POST而不是GET,您需要在html中使用HTML表单标记,如下所示:
<form method="POST" action="/data.php">
<input type="hidden" name="parameter" value="1234" />
<button type="submit">Submit</button>
</form>
When submitted, your URL will just be /data.php and parameter=1234 will be in your (hidden) post buffer.
提交后,您的URL将只是/data.php,参数= 1234将在您的(隐藏)帖子缓冲区中。
Make sense?
#6
0
To do a POST, you have to use a form, or some javascript/ajax trickery. An <a> will only ever cause a GET request.
要进行POST,您必须使用表单或一些javascript / ajax技巧。 只会导致GET请求。
Note that POST requests can still have query parameters in the URL. It's not "normal" to have them, but they are allowed. The main difference being that with a GET request (ignoring cookies), the URL is the ONLY way to send parameters/data to the server. With POST, you can use both the URL, and the body of the POST request, which is where POSTed form data is normally placed.
请注意,POST请求仍然可以在URL中包含查询参数。拥有它们并不“正常”,但它们是允许的。主要区别在于GET请求(忽略cookie),URL是将参数/数据发送到服务器的唯一方式。使用POST,您可以同时使用URL和POST请求的正文,这是通常放置POST表单数据的位置。
#1
2
In order to use POST, you will need to use a <form> tag, and depending on how you are pulling up these URLs, it could be easier to use javascript to help out. Here's a basic example:
为了使用POST,您需要使用
<form method="post" action="data.php">
<input type="hidden" name="parameter" value="1234" />
<input type="submit" value="Go" />
</form>
The Go button would POST the form data, and now in data.php you will be able to retrieve the value from $_POST['parameter']. Note that when using POST, you will probably want to redirect (HTTP 302) back to a page so that when a user hits the back button, the browser doesn't prompt to resubmit the form.
Go按钮将POST表单数据,现在在data.php中,您将能够从$ _POST ['parameter']中检索值。请注意,使用POST时,您可能希望将(HTTP 302)重定向回页面,以便当用户点击后退按钮时,浏览器不会提示重新提交表单。
Using javascript, you could set the parameter input to a different value before posting the form.
使用javascript,您可以在发布表单之前将参数输入设置为不同的值。
#2
2
Use method "POST" for your form. I had the same issue, just adding POST to the form removed the parameters from the URL
为表单使用方法“POST”。我遇到了同样的问题,只需在表单中添加POST即可从URL中删除参数
<form id="abc" name="abc" action="someaction.php" method="post">
<input type="text" id="username" name="username"/>
<input type="password" id="password" name="password"/>
<input type="submit" id="submit" name="submit" value="submit"/>
</form>
#3
0
To POST values, a browser would have to use a form with method="post", or javascript simulating a form. Various developer tools (fireug, etc) can convert GET forms to POST forms, but generally, a form is what is required.
要POST值,浏览器必须使用带有method =“post”的表单,或者模拟表单的javascript。各种开发人员工具(fireug等)可以将GET表单转换为POST表单,但通常,表单是必需的。
In theory GET requests should not have any side effects, and "should" be consistent from request to request. That is, the server should return the same content. In todays world of just about everything being dynamic, this might be of little practical design significance.
理论上,GET请求不应该有任何副作用,并且“应该”从请求到请求是一致的。也就是说,服务器应该返回相同的内容。在当今几乎所有动态的世界中,这可能具有很小的实际设计意义。
#4
0
Whether you use GET or POST, the parameters will appear in $_REQUEST. The critical difference is that using POST allows the variables NOT to appear in URL history. This decreases the visibility of data such as passwords which you do not want to show up in URL history. To use POST instead of GET, simply produce <form method="POST" ...> in the document.
无论您使用GET还是POST,参数都将显示在$ _REQUEST中。关键的区别在于使用POST允许变量不出现在URL历史记录中。这会降低您不希望在URL历史记录中显示的密码等数据的可见性。要使用POST而不是GET,只需在文档中生成
Even better is to store sensitive values (like user ids) in cookies, so that they don't appear in $_REQUEST at all. Since the contents of cookies are provided in extra HTTP request headers, not in the content, they are generally not stored as part of the history.
更好的方法是在cookie中存储敏感值(如用户ID),这样它们就不会出现在$ _REQUEST中。由于cookie的内容是在额外的HTTP请求标头中提供的,而不是在内容中提供的,因此它们通常不会作为历史记录的一部分存储。
#5
0
In order to use POST instead of GET, you would need to use an HTML form tag in your html, like so:
为了使用POST而不是GET,您需要在html中使用HTML表单标记,如下所示:
<form method="POST" action="/data.php">
<input type="hidden" name="parameter" value="1234" />
<button type="submit">Submit</button>
</form>
When submitted, your URL will just be /data.php and parameter=1234 will be in your (hidden) post buffer.
提交后,您的URL将只是/data.php,参数= 1234将在您的(隐藏)帖子缓冲区中。
Make sense?
#6
0
To do a POST, you have to use a form, or some javascript/ajax trickery. An <a> will only ever cause a GET request.
要进行POST,您必须使用表单或一些javascript / ajax技巧。 只会导致GET请求。
Note that POST requests can still have query parameters in the URL. It's not "normal" to have them, but they are allowed. The main difference being that with a GET request (ignoring cookies), the URL is the ONLY way to send parameters/data to the server. With POST, you can use both the URL, and the body of the POST request, which is where POSTed form data is normally placed.
请注意,POST请求仍然可以在URL中包含查询参数。拥有它们并不“正常”,但它们是允许的。主要区别在于GET请求(忽略cookie),URL是将参数/数据发送到服务器的唯一方式。使用POST,您可以同时使用URL和POST请求的正文,这是通常放置POST表单数据的位置。