How should I choose between GET and POST methods in HTML forms?

Question

I wish to know all the pros and cons about using these two methods. In particular the implications on web security.

Thanks.

Answer 1

David M's answer get's my vote.

I just wanted to add one item that I heard about, maybe it was an urban legend??

Someone had a site with links that were only for internal use to delete files on their website. All was well until a webspider ( I think it was google ) somehow found these links and merrily followed each one causing all the files on his site to be deleted. The links used GET and should have used POST as spiders don't follow POST links.

Answer 2

One security issue in GET that a is often overlooked is that the web server log contains the fully URL of every page access. For GET requests, this includes all the query parameters. This is saved to the server log in plain text even if you access the site securely.

The server logs are often used by site statistics apps, so it's not just the server admin who might see it.

The same caveat applies with third party tracking software, such as google analytics - they record the full URL of the page, again including the GET query parameters and reports it to the analytics user.

Therefore, if you are submitting sensitive data (passwords, card numbers, etc etc), even if it's via AJAX and never appears in the browser's actual URL bar, you should always use POST.

Answer 3

Both set of values is easily monitored by hackers or other stuff, but GET is less secure in the way that its very visible what the values are (right in the addressbar).

Use SSL for security if that is needed.

A good advice: Always use POST for forms, use querystrings (?value=products), when you are not posting things, but are trying to GET a specific page, like a product page. Hence the names POST and GET :)

Answer 4

It depends on the type of data and size of data you want to transfer. With GET you can pass a maximum of 255 characters to the action page. With POST method, you dont have such limitations. POST gives more privacy to the data as it is not displayed anywhere. Anything you send using the GET method is displayed in the address bar of the broser.

Many of the search sites normally uses the GET method as this gives you the facility to bookmark your search queries. Hope this helps.

Answer 5

One gotcha I noticed the other day and it was a real "DUH!" moment for me.

We have a third party search engine on our site and they use the GET method to post the search query to their code. In addition, I had some code that looked for possible SQL injection attacks in the querystring. My code was screwing everything up because it was looking for words like "EXEC", "UPDATE", "DELETE", etc. Well, turns out the user was looking for "EXECUTIVE MBA" and my code found "EXEC" in "EXECUTIVE" and banned their IP.

Believe me, I'm not bragging about my code, just saying that choosing between GET and POST has semi-far reaching implications other than "do I want my passwords showing up in the querystring".

Answer 6

Both GET and POST have their place. You should not rely on any of them for security.

GET requests

• are easily cachable
• are easily bookmarkable
• are subject to URI length limitation
• may show parameters in access logs

POST requests

• allows file uploading
• allows large data
• does not show parameters in browser address bar

Do you want the result of the form submission to be bookmarkable (think Google search)? Use GET.

Would you like the result of the form submission to be cachable? Use GET.

Are your requests not idempotent (safely repeatable)? Use POST and then always redirect to a page that is suitable to get via HTTP GET.

Do you need file uploads? Use POST.