Wednesday 16 November 2011

HTML & ASP: form methods, get or post?

Posted by Marco Del Corno     at 07:00


"In forms, should I use 'get' or 'post' when defining the method?"

This was a question a friend of mine asked me a few weeks ago. I thought he was joking, and I tried to find a humorous answer in the back of my mind. Finding none (as I'm a serious guy!), I answered with the usual backup phrase: "It depends". That gave me enough time to think, search my brain database for a technical explanation, and then provide a complete and reasonable answer to his question.
The problem was that the first word which came to my mind was 'idempotent'. I ended up answering his question, without using the word 'idempotent'. And believe me, my friend was happy enough with my answer. The debate went on and we talked about the different way of using the submitted data with ASP.

My friend is not really new to programming in HTML or ASP, but confessed that he has always been confused by the two form methods. That gave me the idea to write the following post.


GET or POST
When creating a form, we have to decide which is the method we want to use. The method attribute determines how the submitted data is sent.
The method is set in the form tag:
<form method="GET">
... form elements ...
</form>
and
<form method="POST">
... form elements ...

</form>
GET
With the GET method, form data is passed to the server as parameters encoded in the URL (query string). If we have a form where the user can submit a user name and a password, with GET our URL will change to:
http://www.test.com/?username=john.smith&passord=xyz
The two parameters are passed using URL variables.

POST
Using the POST method, the form data is sent in the body of  the HTTP request. It is something that happens in the background and the user doesn't see anything (the URL won't change at all).

Idempotent?
The main difference between the two methods is that GET requests are meant to be idempotent. BANG! That's the word!
As the W3C site states:
"The 'get' method should be used when the form is idempotent (i.e., causes no side-effects). Many database searches have no visible side-effects and make ideal applications for the 'get' method." (quoted from W3C
"Idempotent" is a mathematical word which basically defines something that has no effect on the state of things.
I don't want to write down a math essay here (especially because I don't know anything about this kind of stuff). What we need to understand is that basically "idempotent" here means that a form submission causes no changes except on the user's screen. Or, if we want to be very basic, we should use GET when we just need to retrieve data and not update or any other similar action.
The above is quite reasonable, however please note that it is not always true. I used a login form as an example just earlier in this post. And I used it to explain the GET method. As you may understand it is not really secure to use a GET method for requesting access with a username and a password. That is because, the submitted data will be surely visible in the URL.
So, even if the login request just involves retrieving data, it is not advisable to use the GET method in login forms.

And so? What should we use?
Basically it depends (and my first answer to my friend was indeed right!).
We need to keep in mind a few things:
1) GET appends data to the URL with name and value pairs, while POST works "behind the scenes";
2) GET requests can be bookmarked, while POST requests can't;
3) URLs have a size limit: so for large amount of data the GET method is not advisable; POST has no size limitations;
4) POST is surely more secure when passing sensible data (like passwords).

Didn't you say ASP?
You're right! It is in the post title!
When dealing with forms in ASP, we need to get the submitted data. Basically the way we get it changes according to the form method.
When using the GET method, we collect the submitted value with Request.QueryString.
If the form passes data like:
http:\\www.test.com\test.asp?name=John
we will get the data with:
Request.QueryString("name")
On the other hand, if we use the POST method, we can get the data with Request.Form:
Request.Form("name")
That ends my post. I'm sure we could get deeper into the GET vs POST discussion. If you want to, please use the comment section below.

In the meantime, have a glorious day!

loading..
Labels: , , , , , , ,

0 thoughts:

Post a Comment

Comments are moderated. I apologize if I don't publish comments immediately.

However, I do answer to all the comments.

Subscribe to: Post Comments (Atom)