HTML Forms POST, GET

By Tony Lawrence
2005-08-21


HTML Forms POST, GET

Web forms have two possible methods of passing information back to the script that will process the form. Every form will have something like this:

<form action="/cgi-bin/formpost.pl" method=POST>
<form action="/cgi-bin/formpost.pl" method=GET>

Those mean that the cgi script "formpost.pl" will be called to process the form data. How the data is passed to the cgi script depends upon whether the method is GET or POST.

Using the GET method means that the cgi form script will receive headers that actually contain the data from the form. They'll look something like this:

GET /cgi-bin/formpost.pl?var1=hello+there&button=Send HTTP/1.0

In that case, the "var1" was actually "hello there" and has been encoded so that it can be transmitted without misinterpretation (spaces can also be encoded as %20).

The POST method is a little different. In that case, the headers might look like:

POST /cgi-bin/formpost.pl HTTP/1.0
Content-type: application/x-www-form-urlencoded
Content-length: 26

var1=hello+there&button=Send

The Content-length tells the form script how much data it needs to read, but most folks don't bother to think about these details and instead use things like Perl's CGI.pm or Uncgi, which will just get the form data for you without your caring whether it's GET or POST.

Note there is one other important difference between GET and POST: GET requests can be cached, and POSTS cannot. Therefore, you shouldn't use GET for your forms if the result changes often.

What about when you want to SEND data to a form on somebody else's machine and get the results?

The simplicity of GET means that you can easily construct html that will call the form with specific variables.

<a href="/cgi-bin/formpost.pl?var1=hello+there&button=Send">Click here</a>

You do have to encode the strings, but that's not hard and (for example) there are Perl modules that can do that, and also in other languages.

If you want to code the whole thing, of course you could just open up a connection to port 80 on the server, and manually issue your GET using the same string you'd use in the html. You could do the same thing for a POST, sending headers like the example above. Again, most folks would enlist the aid of pre-written modules to do that. For example, in Perl:

#!/usr/bin/perl
# GET method form
use LWP::Simple;
use URI::Url
$var1="hello there";
$button="Send";

$url=url('http://somesite/formpost.pl");
$url->query_form(var1=>$var1,button=>$button);
$content=get($url);
print $content;

Or:

#!/usr/bin/perl
# POST method form
use HTTP::Request::Common qw(POST);
use LWP::UserAgent;

$var1="hello there";
$button="Send";

$ua=LWP::UserAgent->new();
my $req= POST 'http://somesite/formpost.pl', [var1=> $var1,button=>$button];
$content=$ua->request($req)->as_string;
print $content;

Notice that in neither case did I do anything to escape the strings. They wouldn't need any here (no spaces, etc.) but more importantly, the modules take care of that for you so if you did escape the strings, your escapes would be escaped again, which probably would get incorrect results from the form.

Tutorial Pages:
» HTML Forms POST, GET


© Copyright 2005 A.P. Lawrence

Related Tutorials: » Enrich Your Web Applications » Microsoft Complicates HTML Emails With Outlook 2007 » Testing Your Forms for Hijacking Vulnerability » Control Your Domain Registration Data » HTML Tables » Navigation Bar and Bulleted Lists