Post vs. get differences
Key points:*. When the post transmits data, it does not need to be displayed in the URL, and the Get method is displayed in the URL.
*. The post transmits a large amount of data, which can reach 2 m, and the Get method can only pass about 1024 bytes due to the URL length limit.
*. Post as the name implies, is to transfer data to the server segment, get is to get data from the server segment. And get can also transmit data, just to design tell the server, you need what kind of data. The post information is the content of the HTTP request, and get is transmitted over the HTTP header.
Detailed Description:1, Get through the URL request to pass the user's data, the form each field name and its contents in pairs of strings connected, placed in the Action property refers to the program's URL, the data will be displayed directly on the URL, as the user clicked a link; Post method via HTTP Post mechanism, which places the name of each field in the form with its contents in the HTML header (header) to the server side by the action attribute can refer to the program processing, the program through the standard input (stdin) method, the form of data read out and processed 2, Get method needs to use
request.querystring to get the value of the variable. Post mode via
request.form to access the submitted content.
3, Get mode of transmission of data is very small, generally limited to about 2 KB, the execution efficiency is better than the Post method; The Post method transmits a relatively large amount of data, which is waiting for the server to read the data, there is also a byte limit, in order to avoid the server with a large amount of data for malicious attacks.
Recommendation: Unless you are sure that your submitted data can be submitted at one time, otherwise, please try to use POST Method 4, get method to submit data, will bring security issues, form submission recommended the use of Post method, (such as landing page, through the Get method to submit data, the user name and password appear on the URL, If the page can be cached or someone else can access the customer's machine, the user's account number and password can be obtained from the history. The common problem with the form page submitted by the Post method is that the dialog box pops up when the page is refreshed. Recommendation: For security reasons, it is best to use post to submit data 5, get the value of the dataset that restricts the form form to ASCII characters, and Post supports the entire ISO10646 character set.
6, get is the default method for form. In the HTTP protocol, there are four verbs that represent the mode of operation: GET, POST, PUT, DELETE. They correspond to four basic operations, respectively:
Get used to get resources
Post is used to create a new resource (also available for updating resources)
Put to update resources
Delete is used to remove resources.
PHP automatically escapes data obtained by Post/get
Depending on the configuration of the server, some special conformance such as ', ' may occur when data is obtained via post, get, and so on. This problem is mainly caused by PHP magic quotes. PHP Magic quotes include magic_quotes_gpc,magic_quotes_runtime,magic_quotes_sybase.
MAGIC_QUOTES_GPC summarized as follows:
1. In the case of Magic_quotes_gpc=on,
we can not do addslashes () and stripslashes () for the string data of the input and output database, and the data will be displayed normally. If you do a addslashes () processing of the input data at this point, you must use Stripslashes () to remove the extra backslash when you output it.
2. In the case of Magic_quotes_gpc=off
The
input data must be processed using addslashes (), but you do not need to format the output with Stripslashes () because addslashes () does not write the backslash to the database, it only helps MySQL complete the execution of the SQL statement.
About MAGIC_QUOTES_GPC MAGIC_QUOTES_GPC = on in PHP injection
Everyone knows php config file php.in, if the MAGIC_QUOTES_GPC configuration inside is open that is MAGIC_QUOTES_GPC = on the person who knows the point PHP know.
Then we're going to inject the field into the numeric type.
1<?2 if(isset($_post["F_login"] ) ){3 //connecting to a database4 $t _struid=$_post["F_uid"];5 $t _strpwd=$_post["F_pwd"];6 $t _strsql= "SELECT * from Tbl_users WHERE uid=$t _struidand password = '$t _strpwd' LIMIT 0,1 ';7 if($t _hres=mysql_query($t _strsql) ){8 //Successful Query9 }Ten } One?>
1 <HTML>2 <Head>3 <title>Sample test</title>4 </Head>5 <Body>6 <formMethod=postAction="">7User ID:<inputtype= "text"name= "username"size=30><BR>8Password:<inputtype=textname= "Userpwd"size=30><BR>9 <inputtype= "Submit"name= "User_login"value= "Login">Ten </form> One </Body>
If entered correctly:
SELECT * from tbltable_users WHERE userid=admin and password = ' admin ' LIMIT 0,1
If the attacker is at username, enter: admin OR 1 = 1 #, the SQL statement injected is as follows:
SELECT * from Table_users WHERE userid=admin OR 1 =1 # and password = ' admin ' LIMIT 0,1
The following can be injected.
Set the display_errors option to Display_errors = off in php.ini to prevent it.
Magic_quotes_runtime
If open, most of the functions that get data from external sources and return the data, including from the database and text files, are escaped by backslashes. This option can be changed at run time, and the default value in PHP is off.
Magic_quotes_sybase
If turned on, single quotes are escaped using single quotes instead of backslashes. This option will completely overwrite the MAGIC_QUOTES_GPC. If you open two options at the same time, the single quotes will be escaped as ". Double quotes, backslashes, and NULL characters are not escaped.
Because of the different configuration of the different servers, the server configuration needs to be detected in code with GET_MAGIC_QUOTES_GPC ().
1 if ( isset ($_post [' C ' 2 $s = $_post [' C ' 3 GET_MAGIC_QUOTES_GPC 4 $s = stripslashes ( $s ); // stripslashes () function removes the backslash added by the addslashes () function. 5 //do something 6 }
PHP Basics Post and get