GET vs POST in PHP: Difference with Live Form Example
GET puts data in the URL (visible, bookmarkable, ~2KB); POST sends it in the request body (hidden, unlimited, for passwords/DB changes). Full form example both ways.
The postcard vs sealed-envelope analogy
GET : search.php?name=Aman&class=10 <- data visible in URL
POST: search.php <- URL clean, data in body
One form, both methods — complete working example
<!-- search.php : GET is right for SEARCHING -->
<form method="get" action="search.php">
<input type="text" name="q" placeholder="Search student...">
<button>Search</button>
</form>
<?php
if (isset($_GET['q'])) {
$q = htmlspecialchars($_GET['q']);
echo "Results for: " . $q;
// URL becomes: search.php?q=Aman -> shareable, bookmarkable!
}
?>
<!-- login.php : POST is right for PASSWORDS -->
<form method="post" action="login.php">
<input type="text" name="username">
<input type="password" name="password">
<button>Login</button>
</form>
<?php
if ($_SERVER['REQUEST_METHOD'] === 'POST') {
$user = $_POST['username'] ?? '';
// password never appears in URL, browser history, or server logs
}
?>
Why the choice is NOT about taste — 4 hard reasons
- Visibility: GET data lands in browser history, bookmarks, server access logs, and the Referer header. A password in GET = a password stored in plain text in half a dozen places. Instant security hole.
- Size: URLs are limited (~2KB safe across browsers). POST has no practical limit — and file uploads work only with POST (plus enctype="multipart/form-data").
- Repeat safety: refresh a GET page — nothing bad happens (it just reads). Refresh after POST — the browser warns "resubmit form?" because POST changes things; repeating it could double-insert a fee payment.
- Caching/bookmarking: GET URLs can be cached, shared, bookmarked — perfect for searches and filters. POST results cannot be bookmarked.
Comparison table
| Point | GET | POST |
|---|---|---|
| Data travels in | URL query string | Request body |
| Visible in URL/history/logs | ✅ Yes | ❌ No |
| Size limit | ~2KB practical | Effectively unlimited (php.ini post_max_size) |
| File upload | ❌ No | ✅ Yes |
| Bookmark/share result | ✅ Yes | ❌ No |
| Refresh behaviour | Safe repeat | Browser warns (resubmission) |
| PHP superglobal | $_GET | $_POST |
| Use for | Search, filters, pagination | Login, forms saving data, uploads |
One myth to bust
"POST is secure." Only more private on the client side — the data still travels as plain text over HTTP and any network sniffer can read it. Real security = POST + HTTPS (encryption in transit) + hashed passwords on the server. Say it this way in an interview and you sound like someone who has actually deployed.
Interview line: "GET carries data in the URL for safe, repeatable reads; POST carries it in the body for state-changing actions, uploads and anything sensitive — with HTTPS doing the actual securing."
Postcard vs सीलबंद लिफाफा analogy
GET : search.php?name=Aman&class=10 <- data URL में दिखता है
POST: search.php <- URL साफ, data body में
एक form, दोनों methods — पूरा working example
<!-- search.php : SEARCH के लिए GET सही है -->
<form method="get" action="search.php">
<input type="text" name="q" placeholder="Search student...">
<button>Search</button>
</form>
<?php
if (isset($_GET['q'])) {
$q = htmlspecialchars($_GET['q']);
echo "Results for: " . $q;
// URL बना: search.php?q=Aman -> share, bookmark हो सकता है!
}
?>
<!-- login.php : PASSWORDS के लिए POST सही है -->
<form method="post" action="login.php">
<input type="text" name="username">
<input type="password" name="password">
<button>Login</button>
</form>
<?php
if ($_SERVER['REQUEST_METHOD'] === 'POST') {
$user = $_POST['username'] ?? '';
// password कभी URL, browser history या server logs में नहीं आता
}
?>
Choice पसंद की बात नहीं — 4 ठोस वजहें
- Visibility: GET data browser history, bookmarks, server access logs और Referer header में पहुंच जाता है. GET में password = आधा दर्जन जगहों पर plain text में stored password. सीधा security hole.
- Size: URLs limited हैं (~2KB browsers में safe). POST की practical limit नहीं — और file uploads सिर्फ POST से होते हैं (साथ में enctype="multipart/form-data").
- Repeat safety: GET page refresh करो — कुछ बुरा नहीं (सिर्फ पढ़ता है). POST के बाद refresh — browser पूछता है "resubmit form?" क्योंकि POST चीज़ें बदलता है; repeat होने पर fee payment double insert हो सकती है.
- Caching/bookmarking: GET URLs cache, share, bookmark हो सकते हैं — searches और filters के लिए perfect. POST results bookmark नहीं होते.
Comparison table
| Point | GET | POST |
|---|---|---|
| Data चलता है | URL query string में | Request body में |
| URL/history/logs में दिखता है | ✅ हां | ❌ नहीं |
| Size limit | ~2KB practical | लगभग unlimited (php.ini post_max_size) |
| File upload | ❌ नहीं | ✅ हां |
| Result bookmark/share | ✅ हां | ❌ नहीं |
| Refresh behaviour | Safe repeat | Browser warning (resubmission) |
| PHP superglobal | $_GET | $_POST |
| किसके लिए | Search, filters, pagination | Login, data save करने वाले forms, uploads |
एक myth तोड़ना ज़रूरी
"POST secure है." सिर्फ client side पर ज़्यादा private — data फिर भी HTTP पर plain text में सफर करता है और कोई भी network sniffer पढ़ सकता है. असली security = POST + HTTPS (transit में encryption) + server पर hashed passwords. Interview में ऐसे बोलेंगे तो लगेगा कि आपने सच में deploy किया है.
Interview line: "GET data को URL में ले जाता है safe, repeatable reads के लिए; POST body में ले जाता है state बदलने वाले actions, uploads और sensitive चीज़ों के लिए — असली securing HTTPS करता है."
Frequently Asked Questions
What is the difference between GET and POST in PHP?
GET sends data in the URL query string (visible, ~2KB, bookmarkable) and suits read-only requests like search; POST sends data in the request body (hidden from URL, size set by post_max_size, supports file uploads) and must be used for anything that changes data.
Is POST completely secure?
No — POST only hides data from the URL, history and logs; over plain HTTP it still travels as readable text. Real security requires HTTPS plus server-side measures like password hashing.
Why do file uploads require POST?
File contents are far too large and binary for a URL; uploads need the request body with enctype multipart/form-data, which only the POST method provides.