PHP and the POST Method

The mechanism of using the POST method is the same as that for the GET method. You only have to change the name of the method to be used (i.e., replace GET with POST) and your code will work without requiring any additional modifications. This, although, is conditional on that global parameters had been used to pass data and not the $HTTP_GET_VARS array (the POST method uses a different array). The earlier example demonstrating passing parameters using the GET method can be changed to use the POST method as follows:

<form action="param.php" method="post">
User Name: 
 <input name="UserName">
 <input type="hidden" name="Password" value="qwerty">
</form>

Other than replacing GET with POST, no other changes are necessary.

When the POST method is used, all parameters are also included in the request body in the parameter_name=parameter_value format. Additionally, the variable's names and their values are placed into the $HTTP_POST_VARS array, or $_POST for short.

Although the parameters being passed are not displayed in the URL field, the POST method does not solve the security problem completely. Suppose you decided to use global variables to access the parameters as shown in code below, and save this script in a file named postparam.php.

<form action="postparam.php" method="post">
User Name: <input name="UserName">
 <input type="hidden" name="Password" value="qwerty">
</form>

<?php
 if ($UserName<>"")
  {
   print("<P>Your user name is: ");
   print("$UserName");
   print("<P>The password is: $Password");
  } 
?>

The above code passes the parameters from the form using the POST method. Despite this, the following request can be executed:

http://192.168.77.1/postparam.php?UserName=Flenov&Password=qwerty

That is, we can pass the parameters exactly the same as with the GET method and the script will work properly. How come? The problem lies with the global variables, which do not know which method we are using and are not dependent on any particular method. In this respect, using the $HTTP_POST_VARS and $HTTP_GET_VARS arrays is more secure, because they are each tied to its particular method. If we had used the $HTTP_POST_VARS array to process the parameters, attempting to pass them using the GET method would have failed, because then they would have been placed into the $HTTP_GET_VARS array.

Code below shows how to obtain access to parameters using the arrays, as well as to how disable sending parameters in the URL field, that is, using the GET method. If the $HTTP_GET_VARS array is not empty, the loop execution is terminated and a wrong parameter message displayed.

<form action="arrayparam.php" method="post">
User Name: <input name="UserName">
 <input type="hidden" name="Password" value="qwerty">
</form>

<?php
 if (count($HTTP_GET_VARS)>0)
  {
   die("Wrong parameter");
  }
 
 if ($HTTP_POST_VARS["UserName"]<>"")
  {
   print("<P>Your user name is: ");
   print($HTTP_POST_VARS["UserName"]);
   print("<P>Your password is: ");   
   print($HTTP_POST_VARS["Password"]);
  } 
?>

The value of the button is also placed into a variable. In our examples before, we sent data to the server by pressing the key. In production programs, however, you should use buttons for this purpose. It is much better when a user sees a button labeled Submit or Send than have him or her wandering how to send the data entered. The key, though, still functions.

<form action="submit1.php" method="get">
User Name: <input name="UserName">
 <input type="hidden" name="Password" value="qwerty">
 <input type="submit" name="sub" value="Go">
</form>

<?php
 if ($sub="Go")
  {
   print("<p>Submitted.....: $Submit</p>");
  } 
?>

You also must keep it in mind that that the button name does not change in the script. Even when the page loads for the first time, before the user presses the button to submit data, its value is already Go.

Although parameters are not displayed in the URL field when the POST method is used, you should not forget that these parameters could still be intercepted. They can also be modified; and even though this will require a bit more time, this circumstance will not stop a determined hacker. The POST method simply prevents parameters from being displayed in the browser's URL field, thus keeping them form prying eyes. You still should take care about transmitting these parameters and check them for any deviations from the norm and disallowed characters.