HTML.form.guide

Using the GET method in a PHP form

PHP php form get

This tutorial will cover how PHP handles form data posted via the ‘GET’ method.

Introduction to the query string

GET data comes from the URL itself, and will typically follow the name of the script file in the URL. The start of GET data is indicated with a question mark (?). The name of the field is followed by an equal sign (=) and the value of the field. Each field is then separated by an ampersand (&). Here’s an example of a URL with GET data for first and last name:

http://www.mysite.com/myform4.php?firstname=bob&lastname=smith You can set web forms to submit via the GET method if you so choose, but most forms use the post method because it “hides” the form data away from the user and doesn’t clutter up the URL in the address bar.

Note that GET and POST methods are equally (in)secure.

As easily as a user can monkey with GET data in a URL, the same thing can be done with POST data. You should always assume that the user can submit whatever form and form data that they want to, and process the data accordingly. Don’t trust user input, whether it’s from GET or from POST!

GET data is accessed in the same way that POST data is in PHP, except with $_GET instead of $_POST.

<?php
   echo("First name: " . $_GET['firstname'] . "<br />\\n");
   echo("Last name: " . $_GET['lastname'] . "<br />\\n");
?>

One common use of querystring is page numbers. If you have multiple pages of content (a list of cities, for example, you can use anchor tag links with querystring variables. Here’s an example.


<?php
   $varPage = $_GET['page'];
   
   $varPrevious = $_GET['page'] - 1;
   $varNext = $_GET['page'] + 1;
   
   // . . . snip . . . 
   // use MySQL to get data for page number $varPage

   // . . . snip . . . 
   
   // display all data from MySQL query
?> 
<p>
<a href="cities.php?page=<?=$varPrevious;?>">Previous</a>
<a href="cities.php?page=<?=$varNext;?>">Next</a>
</p>

That is a very simple example, and needs some validation and some changes to the math, but you get the picture. There’s no form required–only two anchor tags for the next and previous page.

Register globals off?

If you are using a version of PHP earlier than 4.2.0, you should strongly consider setting register_globals to “off” in your .htaccess file (if you are using Apache server). Otherwise, variables like those in the GET data will be registered as global variables and not simply confined to the $_GET array. For instance, if register_globals is “on” (by default in versions older than 4.2.0, it is), this would be another way to do the same thing as the previous code example:

<?php
   echo("First name: " . $firstname . "<br />\\n");
   echo("Last name: " . $lastname . "<br />\\n");
?>

While this may seem convenient, it also opens up the possibility of a malicious user monkeying around with your code! Consider this example:

<?php
   if($password == "topsecretpassword") {
      $showsecret = "yes";
   }
   
   if($showsecret == "yes") {
      echo("My credit card number is 12345");
   }
?>

In the above sample, a malicious user doesn’t need to know the top secret password. All he has to do is put in a URL of http://www.mysite.com/myscript4.php?showsecret=yes. That’s a very contrived example, but you get the picture. The only reason to have register_globals on is for convenience, and this benefit is far outweighed by security concerns. If you have PHP 4.2.0 or later, don’t worry about it.

More on GET

Another factor with GET is that the value of a GET field cannot exceed 100 characters. You might ask why on earth you would ever use GET at all? For one, an input can consist of just a URL link instead of a full-fledge form.

GET data also makes it easier for a user to bookmark a certain page of data (http://www.mysite.com/product.php?page=3) or some dynamic content typically pulled from a database (http://www.mysite.com/article.php?id=123).

The more you program, the more you will get a feel for when it’s appropriate to use GET and when it’s appropriate to use POST.

See Also