POST and GET based on PHP

: This article mainly introduces POST and GET based on PHP. For more information about PHP tutorials, see. Difference between post and get

Important:

* When Post is used to transmit data, it does not need to be displayed in the URL, but the Get method must be displayed in the URL.
*. The size of Post data transmission can reach 2 MB. the Get method can only transmit about 1024 bytes because it is limited by the URL length.
* As the name implies, Post is to transmit data to the server segment, and Get is to obtain data from the server segment. The reason why Get can also transmit data is to design and tell the server what data you actually need. The Post information is used as the content of the http request, while Get is transmitted in the Http header.

Detailed description:

1. Get transmits user data through URL requests, connects the names of fields in the form with their content in pairs, and places them in the url of the program indicated by the action property, the data is directly displayed on the url, just as the user clicks a link;

The Post method uses the HTTP post mechanism to place the field names and content in the form in the HTML header and send them to the server for processing by the program that can be referred to by the action attribute, this program reads and processes the form data in the standard input (stdin) mode.

2. you must use Request. QueryString to obtain the variable value in Get mode.

The Post method uses Request. Form to access submitted content.
3. the data volume transmitted in Get mode is very small, generally limited to around 2 KB, but the execution efficiency is better than the Post method;

The size of data transmitted in Post mode is relatively large. it waits for the server to read data, and there are also byte restrictions. this is to avoid malicious attacks against the server by using a large amount of data.
Suggestion: unless you are sure that the data you submit can be submitted at one time, use the Post method whenever possible.

4. when submitting data in Get mode, security issues may occur. we recommend that you use the Post method for form submission. (for example, when submitting data in Get mode on the login page, the user name and password are displayed.

On the current URL, if the page can be cached or other people can access the customer's machine, the user's account and password can be obtained from the history)

A common problem on the form page submitted by the Post method is that if the page is refreshed, a dialog box is displayed. Suggestion: For security reasons, it is best to use Post to submit data.

5. Get restricts that the dataset value of Form forms must be ASCII characters, while Post supports the entire iso000046 character set.
6. Get is the default Form method.

In the HTTP protocol, four verbs indicate the operation method: GET, POST, PUT, and DELETE. They correspond to four basic operations:
GET is used to obtain resources.
POST is used to create resources (or to update resources)
PUT is used to update resources.
DELETE is used to DELETE resources.

PHP automatically escapes data obtained through post/get

According to different server configurations, some special conformances such as ', "may be escaped when data is obtained through post or get. This problem is mainly caused by PHP magic quotes. PHP magic quotes include magic_quotes_gpc, magic_quotes_runtime, and magic_quotes_sybase.

Magic_quotes_gpc is summarized as follows:

1. for magic_quotes_gpc = on,

We may not use the string data of the input or output database

The operation of addslashes () and stripslashes () will also display the data normally.

If you perform addslashes () processing on the input data,

In this case, you must use stripslashes () to remove unnecessary backslash.

2. magic_quotes_gpc = off

You must use addslashes () to process the input data, but you do not need to use stripslashes () to format the output.

Because addslashes () does not write the backslash together into the database, it only helps mysql to complete SQL statement execution.

About magic_quotes_gpc = on in php injection

Everyone knows the php configuration file php. in. if the magic_quotes_gpc configuration in it is opened, magic_quotes_gpc = on anyone who knows something about php knows it.

Then we need to inject numeric fields.

1
 

123Sample test456
 
  
7 User ID:
  
  
8 Password:
  
  
9
  10
 11

If entered correctly:

SELECT * FROM tbltable_users WHERE userid = admin AND password = 'admin' LIMIT 0, 1

If the attacker enters admin OR 1 = 1 # At username, the SQL statement injected is as follows:

SELECT * FROM table_users WHERE userid = admin OR 1 = 1 # AND password = 'admin' LIMIT 0, 1

The following code can be injected.

In php. ini, set the display_errors option to display_errors = off.

Magic_quotes_runtime
If it is enabled, most of the functions that retrieve data from external sources and return data, including the database and text files, will be escaped by the backslash. This option can be changed at runtime. the default value in PHP is off.

Magic_quotes_sybase
If it is enabled, single quotes are used to escape single quotes rather than backslash. This option will completely overwrite magic_quotes_gpc. If two options are enabled at the same time, the single quotation marks will be converted ". Double quotation marks, backslash, and NULL characters are not escaped.

Because the configurations of different servers are different, you need to use get_magic_quotes_gpc () in the code to detect the server configuration.

1if (isset ($ _ POST ['c']) {2 $ s =$ _ POST ['c']; 3if (get_magic_quotes_gpc ()) 4 $ s = stripslashes ($ s); // The stripslashes () function deletes the backslash added by the addslashes () function. 5 // do something6}

The above introduces POST and GET of PHP basics, including some content, and hope to be helpful to friends who are interested in PHP tutorials.