PHP & MySQL
PHP GET and POST Methods - HTTP Request Handling
Complete guide to PHP $_GET and $_POST superglobals - form handling, differences between GET and POST, validation, security, and file uploads with $_FILES.
GET vs POST at a Glance
| Feature | GET | POST |
|---|---|---|
| Data location | URL query string | Request body |
| Visibility | Visible in URL, logs, history | Not in URL |
| Size limit | ~2,048 chars (browser dependent) | Configured in php.ini (default 8MB) |
| Caching | Can be cached & bookmarked | Not cached |
| Idempotent | Yes (should not change state) | No |
| Use for | Search, filtering, pagination | Forms, login, file uploads |
| PHP superglobal | $_GET | $_POST |
$_GET - Reading Query Parameters
<?php
// URL: page.php?category=php&page=2
$category = $_GET['category'] ?? 'all'; // "php"
$page = (int) ($_GET['page'] ?? 1); // 2
echo "Category: $category, Page: $page";
// HTML form using GET
?>
<form method="GET" action="search.php">
<input type="text" name="q" placeholder="Search...">
<select name="sort">
<option value="date">Newest</option>
<option value="title">Title</option>
</select>
<button type="submit">Search</button>
</form>
<!-- Submits to: search.php?q=hello&sort=date -->$_POST - Handling Form Submissions
<form method="POST" action="register.php">
<input type="text" name="username" required>
<input type="email" name="email" required>
<input type="password" name="password" required>
<button type="submit">Register</button>
</form>
<?php
// register.php
if ($_SERVER['REQUEST_METHOD'] === 'POST') {
$username = $_POST['username'] ?? '';
$email = $_POST['email'] ?? '';
$password = $_POST['password'] ?? '';
// Validate
$errors = [];
if (strlen($username) < 3) $errors[] = 'Username too short';
if (!filter_var($email, FILTER_VALIDATE_EMAIL)) $errors[] = 'Invalid email';
if (strlen($password) < 8) $errors[] = 'Password must be 8+ chars';
if (empty($errors)) {
$hash = password_hash($password, PASSWORD_BCRYPT);
// Save to database...
echo 'Registration successful!';
} else {
foreach ($errors as $e) echo "<p class='error'>$e</p>";
}
}$_REQUEST - Both GET and POST
<?php
// $_REQUEST contains data from GET, POST, and COOKIE
$value = $_REQUEST['key'] ?? 'default';
// Generally avoid $_REQUEST - it's ambiguous about the source
// Use $_GET or $_POST explicitly for clarity and securitySecurity Best Practices
<?php
// 1. Always validate and sanitize input
$name = htmlspecialchars($_POST['name'] ?? '', ENT_QUOTES, 'UTF-8');
$age = filter_input(INPUT_POST, 'age', FILTER_VALIDATE_INT);
$email = filter_input(INPUT_POST, 'email', FILTER_VALIDATE_EMAIL);
// 2. Use prepared statements for database queries
$stmt = $pdo->prepare("SELECT * FROM users WHERE email = ?");
$stmt->execute([$email]);
// 3. CSRF protection
session_start();
$token = bin2hex(random_bytes(32));
$_SESSION['csrf_token'] = $token;
?>
<form method="POST">
<input type="hidden" name="csrf_token" value="<?= $token ?>">
<!-- form fields -->
</form>
<?php
// Verify on submission
if ($_POST['csrf_token'] !== $_SESSION['csrf_token']) {
die('Invalid CSRF token');
}
// 4. Check request method
if ($_SERVER['REQUEST_METHOD'] !== 'POST') {
http_response_code(405);
die('Method not allowed');
}File Uploads with $_FILES
<form method="POST" enctype="multipart/form-data">
<input type="file" name="avatar" accept="image/*">
<button type="submit">Upload</button>
</form>
<?php
if (isset($_FILES['avatar'])) {
$file = $_FILES['avatar'];
// $file['name'] - original filename
// $file['type'] - MIME type
// $file['size'] - size in bytes
// $file['tmp_name'] - temporary path
// $file['error'] - error code (0 = success)
if ($file['error'] === UPLOAD_ERR_OK && $file['size'] < 2_000_000) {
$ext = pathinfo($file['name'], PATHINFO_EXTENSION);
$safe = bin2hex(random_bytes(16)) . '.' . $ext;
move_uploaded_file($file['tmp_name'], "uploads/$safe");
}
}Last updated: 2026 • Browse all courses