HTTP GET and POST Methods - Dleifnesor/NET-215 GitHub Wiki
HTTP messages consist of the following components:
- Start Line: Contains the HTTP method (e.g., GET, POST).
- Headers: Key-value pairs that provide metadata.
- Body: Used mainly with POST to send data.
- Status Line: Provides the status code (e.g., 200 OK).
- Headers: Metadata from the server.
- Body: Usually contains the HTML or other response content.
Raw HTTP Request
/welcome_get.php?name=adam&[email protected] HTTP/1.1
Host: 192.168.1.212
Connection: keep-alive
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Referer: http://192.168.1.212/forms/GET-Form.html
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8
- Query Parameters are in the URL.
- No message body is present.
- Visible in browser history and logs.
- Example URL:
http://192.168.1.212/welcome_get.php?name=adam&[email protected]
Raw HTTP Request
/welcome_post.php HTTP/1.1
Host: 192.168.1.212
Connection: keep-alive
Content-Length: 31
Cache-Control: max-age=0
Origin: http://192.168.1.212
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.79 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Referer: http://192.168.1.212/forms/POST-Form.html
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8
name=adam&email=adam%40test.com
- Data is sent in the body, not the URL.
- Better suited for sensitive or large inputs.
- Not stored in browser history.
- Content is URL-encoded.
Aspect | GET | POST |
---|---|---|
Data Location | URL query string | Message body |
Visibility | Easily visible in browser and server logs | Hidden from URL and history |
Max Data Length | Limited by URL length (2k-8k chars) | No practical limit for typical form data |
Use Case | Data retrieval, safe for bookmarks | Data submission (login, messages, file upload) |
Risk with HTTP | High – visible in transit/logs | Moderate – still readable without HTTPS |
HTTP is not encrypted.
Anyone able to access a network packet can:
- Read all headers (request and response),
- See HTML content,
- Intercept form data (e.g., login info, messages).
Use HTTPS to protect HTTP traffic.
A form (<form>
) on a webpage allows a user to enter data to:
- Be processed client-side (e.g., with JavaScript), or
- Be submitted server-side (e.g., PHP scripts via GET or POST).
Basic structure:
<form action="endpoint.php" method="get|post">
<input type="text" name="example">
</form>
-
action
specifies the server-side script URL. -
method
determines how the data is sent (get
orpost
).
<html>
<head>
<title>NET 225 GET Sample Form</title>
</head>
<body>
Hello NET 225 Student - Please provide the following for this simple GET form:<br>
<form action="welcome_get.php" method="get">
Name: <input type="text" name="name"><br>
E-mail: <input type="text" name="email"><br>
<input type="submit">
</form>
</body>
</html>
GET /welcome_get.php?name=adam&[email protected] HTTP/1.1
Host: demo-site.com
<html>
<body>
Welcome <?php echo $_GET["name"]; ?><br>
Your email address is: <?php echo $_GET["email"]; ?>
</body>
</html>
<html>
<head>
<title>NET 225 POST Sample Form</title>
</head>
<body>
Hello NET 225 Student - Please provide the following for this simple POST form:<br>
<form action="welcome_post.php" method="post">
Name: <input type="text" name="name"><br>
E-mail: <input type="text" name="email"><br>
<input type="submit">
</form>
</body>
</html>
POST /welcome_post.php HTTP/1.1
Host: demo-site.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 42
name=adam&[email protected]
<html>
<body>
Welcome <?php echo $_POST["name"]; ?><br>
Your email address is: <?php echo $_POST["email"]; ?>
</body>
</html>
Feature | GET | POST |
---|---|---|
Data visible in URL | Yes | No |
Can be cached | Yes | No |
Stored in browser history | Yes | No |
Bookmarkable | Yes | No |
Length limitations | Yes | No |
Suitable for sensitive data | No | Yes |
Avoid using GET to send passwords or sensitive data.
- GET: Use for non-sensitive, idempotent requests (e.g., search).
- POST: Use for sensitive or large payloads, especially when modifying data.
- Prefer HTTPS for all communications involving personal data.