Free tutorials in Hindi & English Daily computer, mobile and IT guides Beginner friendly learning
Blog · PHP · 04 Jul 2026 · Hindi + English

GET vs POST in PHP: Difference with Live Form Example

GET puts data in the URL (visible, bookmarkable, ~2KB); POST sends it in the request body (hidden, unlimited, for passwords/DB changes). Full form example both ways.

The postcard vs sealed-envelope analogy

GET is a postcard: whatever you write travels on the outside — the postman, neighbours, everyone can read it (data rides in the URL). POST is a sealed envelope: the address is visible but the letter is inside (data travels in the request body). Both reach the same destination; what differs is who can see the contents on the way, how much fits, and what happens if the message is delivered twice.
GET :  search.php?name=Aman&class=10     <- data visible in URL
POST:  search.php                         <- URL clean, data in body

One form, both methods — complete working example

<!-- search.php : GET is right for SEARCHING -->
<form method="get" action="search.php">
    <input type="text" name="q" placeholder="Search student...">
    <button>Search</button>
</form>
<?php
if (isset($_GET['q'])) {
    $q = htmlspecialchars($_GET['q']);
    echo "Results for: " . $q;
    // URL becomes: search.php?q=Aman  -> shareable, bookmarkable!
}
?>

<!-- login.php : POST is right for PASSWORDS -->
<form method="post" action="login.php">
    <input type="text" name="username">
    <input type="password" name="password">
    <button>Login</button>
</form>
<?php
if ($_SERVER['REQUEST_METHOD'] === 'POST') {
    $user = $_POST['username'] ?? '';
    // password never appears in URL, browser history, or server logs
}
?>

Why the choice is NOT about taste — 4 hard reasons

  • Visibility: GET data lands in browser history, bookmarks, server access logs, and the Referer header. A password in GET = a password stored in plain text in half a dozen places. Instant security hole.
  • Size: URLs are limited (~2KB safe across browsers). POST has no practical limit — and file uploads work only with POST (plus enctype="multipart/form-data").
  • Repeat safety: refresh a GET page — nothing bad happens (it just reads). Refresh after POST — the browser warns "resubmit form?" because POST changes things; repeating it could double-insert a fee payment.
  • Caching/bookmarking: GET URLs can be cached, shared, bookmarked — perfect for searches and filters. POST results cannot be bookmarked.
The rule professionals follow (it has a name — HTTP semantics): GET for requests that only read data; POST for requests that change data (insert, update, delete, login, upload). If your DB changes, it must be POST — no exceptions.

Comparison table

PointGETPOST
Data travels inURL query stringRequest body
Visible in URL/history/logs✅ Yes❌ No
Size limit~2KB practicalEffectively unlimited (php.ini post_max_size)
File upload❌ No✅ Yes
Bookmark/share result✅ Yes❌ No
Refresh behaviourSafe repeatBrowser warns (resubmission)
PHP superglobal$_GET$_POST
Use forSearch, filters, paginationLogin, forms saving data, uploads

One myth to bust

"POST is secure." Only more private on the client side — the data still travels as plain text over HTTP and any network sniffer can read it. Real security = POST + HTTPS (encryption in transit) + hashed passwords on the server. Say it this way in an interview and you sound like someone who has actually deployed.

Interview line: "GET carries data in the URL for safe, repeatable reads; POST carries it in the body for state-changing actions, uploads and anything sensitive — with HTTPS doing the actual securing."

Postcard vs सीलबंद लिफाफा analogy

GET एक postcard है: जो लिखा वह बाहर ही सफर करता है — postman, पड़ोसी, सब पढ़ सकते हैं (data URL में चलता है). POST सीलबंद लिफाफा है: पता दिखता है पर चिट्ठी अंदर है (data request body में जाता है). पहुंचते दोनों same जगह हैं; फर्क है रास्ते में contents कौन देख सकता है, कितना समाता है, और message दो बार deliver हो जाए तो क्या होता है.
GET :  search.php?name=Aman&class=10     <- data URL में दिखता है
POST:  search.php                         <- URL साफ, data body में

एक form, दोनों methods — पूरा working example

<!-- search.php : SEARCH के लिए GET सही है -->
<form method="get" action="search.php">
    <input type="text" name="q" placeholder="Search student...">
    <button>Search</button>
</form>
<?php
if (isset($_GET['q'])) {
    $q = htmlspecialchars($_GET['q']);
    echo "Results for: " . $q;
    // URL बना: search.php?q=Aman  -> share, bookmark हो सकता है!
}
?>

<!-- login.php : PASSWORDS के लिए POST सही है -->
<form method="post" action="login.php">
    <input type="text" name="username">
    <input type="password" name="password">
    <button>Login</button>
</form>
<?php
if ($_SERVER['REQUEST_METHOD'] === 'POST') {
    $user = $_POST['username'] ?? '';
    // password कभी URL, browser history या server logs में नहीं आता
}
?>

Choice पसंद की बात नहीं — 4 ठोस वजहें

  • Visibility: GET data browser history, bookmarks, server access logs और Referer header में पहुंच जाता है. GET में password = आधा दर्जन जगहों पर plain text में stored password. सीधा security hole.
  • Size: URLs limited हैं (~2KB browsers में safe). POST की practical limit नहीं — और file uploads सिर्फ POST से होते हैं (साथ में enctype="multipart/form-data").
  • Repeat safety: GET page refresh करो — कुछ बुरा नहीं (सिर्फ पढ़ता है). POST के बाद refresh — browser पूछता है "resubmit form?" क्योंकि POST चीज़ें बदलता है; repeat होने पर fee payment double insert हो सकती है.
  • Caching/bookmarking: GET URLs cache, share, bookmark हो सकते हैं — searches और filters के लिए perfect. POST results bookmark नहीं होते.
Professionals का rule (इसका नाम है — HTTP semantics): जो requests सिर्फ data पढ़ें उनके लिए GET; जो data बदलें (insert, update, delete, login, upload) उनके लिए POST. DB बदल रही है तो POST ही होगा — no exceptions.

Comparison table

PointGETPOST
Data चलता हैURL query string मेंRequest body में
URL/history/logs में दिखता है✅ हां❌ नहीं
Size limit~2KB practicalलगभग unlimited (php.ini post_max_size)
File upload❌ नहीं✅ हां
Result bookmark/share✅ हां❌ नहीं
Refresh behaviourSafe repeatBrowser warning (resubmission)
PHP superglobal$_GET$_POST
किसके लिएSearch, filters, paginationLogin, data save करने वाले forms, uploads

एक myth तोड़ना ज़रूरी

"POST secure है." सिर्फ client side पर ज़्यादा private — data फिर भी HTTP पर plain text में सफर करता है और कोई भी network sniffer पढ़ सकता है. असली security = POST + HTTPS (transit में encryption) + server पर hashed passwords. Interview में ऐसे बोलेंगे तो लगेगा कि आपने सच में deploy किया है.

Interview line: "GET data को URL में ले जाता है safe, repeatable reads के लिए; POST body में ले जाता है state बदलने वाले actions, uploads और sensitive चीज़ों के लिए — असली securing HTTPS करता है."

Frequently Asked Questions

What is the difference between GET and POST in PHP?

GET sends data in the URL query string (visible, ~2KB, bookmarkable) and suits read-only requests like search; POST sends data in the request body (hidden from URL, size set by post_max_size, supports file uploads) and must be used for anything that changes data.

Is POST completely secure?

No — POST only hides data from the URL, history and logs; over plain HTTP it still travels as readable text. Real security requires HTTPS plus server-side measures like password hashing.

Why do file uploads require POST?

File contents are far too large and binary for a URL; uploads need the request body with enctype multipart/form-data, which only the POST method provides.