PHP-based POST, GET, and phppostget. The difference between POST and GET, phppostgetpost, and get based on PHP: *. when the Post transmits data, it does not need to be displayed in the URL, but the Get method should be displayed in the URL. *. A large amount of data transmitted by Post. PHP: POST, GET, and phppostget
Difference between post and get
Important:* When Post is used to transmit data, it does not need to be displayed in the URL, but the Get method must be displayed in the URL.
*. The size of Post data transmission can reach 2 MB. the Get method can only transmit about 1024 bytes because it is limited by the URL length.
* As the name implies, Post is to transmit data to the server segment, and Get is to obtain data from the server segment. The reason why Get can also transmit data is to design and tell the server what data you actually need. The Post information is used as the content of the http request, while Get is transmitted in the Http header.
Detailed description:1. Get transmits user data through URL requests, connects the names of fields in the form with their content in pairs, and places them in the url of the program indicated by the action property, the data is directly displayed on the url, just as you click a link. The Post method uses the HTTP post mechanism to place the names and content of fields in the form in the HTML header) the program is sent to the server together and processed by the program that can be referred to by the action attribute. the program reads and processes the form data in the standard input (stdin) mode. 2. the Get method needs to be used.
Request. QueryStringTo obtain the value of the variable. Post method
Request. FormTo access the submitted content.
3. the size of data transmitted in Get mode is very small, generally around 2 KB, but the execution efficiency is better than that of Post method. The size of data transmitted in Post mode is relatively large, it waits for the server to read data and has byte restrictions to avoid malicious attacks against the server with a large amount of data.
Suggestion: unless you are sure that the data you submit can be submitted at one time, try to use Post method 4 and Get to submit the data, which may cause security issues. we recommend that you use Post for form submission; (for example, when you submit data through Get on the login page, the user name and password are displayed in the URL. if the page can be cached or other people can access the client's machine, the user's account and password can be obtained from the historical records. the common problem on the form page submitted by the Post method is that if the page is refreshed, a dialog box is displayed. Suggestion: For the sake of security, it is best to use Post to submit data. 5. Get limits the value of the Form dataset must be ASCII characters, while Post supports the entire iso000046 character set.
6. Get is the default Form method. In the HTTP protocol, four verbs indicate the operation method: GET, POST, PUT, and DELETE. They correspond to four basic operations:
GET is used to obtain resources.
POST is used to create resources (or to update resources)
PUT is used to update resources.
DELETE is used to DELETE resources.
PHP automatically escapes data obtained through post/get
According to different server configurations, some special conformances such as ', "may be escaped when data is obtained through post or get. This problem is mainly caused by PHP magic quotes. PHP magic quotes includeMagic_quotes_gpc, magic_quotes_runtime, magic_quotes_sybase.
Magic_quotes_gpcSummary:
1. for magic_quotes_gpc = on,
We can perform addslashes () and stripslashes () operations on the string data of the input and output databases, and the data will be displayed normally. If you have performed addslashes () processing on the input data at this time, you must use stripslashes () to remove unnecessary backslash when outputting the data.
2. magic_quotes_gpc = off
You must use addslashes () to process the input data, but you do not need to use stripslashes () to format the output because addslashes () does not write the backslash together into the database, it only helps mysql to complete SQL statement execution.
About magic_quotes_gpc = on in php injection
Everyone knows the php configuration file php. in. if the magic_quotes_gpc configuration in it is opened, magic_quotes_gpc = on anyone who knows something about php knows it.
Then we need to inject numeric fields.
1
123Sample test456
7 User ID:
8 Password:
9
10
11
If entered correctly:
SELECT * FROM tbltable_users WHERE userid = admin AND password = 'admin' LIMIT 0, 1
If the attacker enters admin OR 1 = 1 # At username, the SQL statement injected is as follows:
SELECT * FROM table_users WHERE userid = admin OR 1 = 1 # AND password = 'admin' LIMIT 0, 1
The following code can be injected.
In php. ini, set the display_errors option to display_errors = off.
Magic_quotes_runtime
If it is enabled, most of the functions that retrieve data from external sources and return data, including the database and text files, will be escaped by the backslash. This option can be changed at runtime. the default value in PHP is off.
Magic_quotes_sybase
If it is enabled, single quotes are used to escape single quotes rather than backslash. This option will completely overwrite magic_quotes_gpc. If two options are enabled at the same time, the single quotation marks will be converted ". Double quotation marks, backslash, and NULL characters are not escaped.
Because the configurations of different servers are different, you need to use get_magic_quotes_gpc () in the code to detect the server configuration.
1 if (isset ($ _ POST ['c']) {2 $ s =$ _ POST ['c']; 3 if (get_magic_quotes_gpc ()) 4 $ s = stripslashes ($ s); // The stripslashes () function deletes the backslash added by the addslashes () function. 5 // do something6}
Difference between batch post and get: *. when Post transmits data, it does not need to be displayed in the URL, but the Get method must be displayed in the URL. *. The amount of data transmitted by Post is large...