HTTP defines different ways to interact with the server, and there are 4 basic methods, namely GET, POST, PUT, and DELETE. The full name of URL is a resource descriptor, we can think of it as this: a URL address, it is used to describe a resource on a network, and GET, POST, PUT, DELETE in HTTP corresponds to the four operations of checking, modifying, adding, and deleting this resource. At this point, you should have a general understanding, GET is generally used to obtain/query resource information, while POST is generally used to update resource information.
1. According to the HTTP specification, GET is used for information retrieval and should be secure and idempotent.
(1). The so-called security means that the operation is used to obtain information rather than modify it. In other words, GET requests should generally not have side effects. That is to say, it only obtains resource information, just like database query, and will not modify, add data, or affect the state of the resource.
* Note: The meaning of security here only refers to non-modified information.
(2). idempotent means that multiple requests to the same URL should return the same result.
However, in practical application, the above two regulations are not so strict. Examples of quoting other people's articles: For example, the front page of a news site is constantly updated. While the second request returns a different batch of news, the operation is still considered safe and idempotent because it always returns the current news. Fundamentally, if the goal is that when a user opens a link, he can be confident that the resource has not been changed from his point of view.
2. According to the HTTP specification, POST represents a request that may modify a resource on the server. Continuing to quote the above example: Still news Take the website as an example, readers should post their own comments on the news, because the site's resources are different after the comment is submitted, or the resources are modified.
The above roughly discusses some of the principles of GET and POST in the HTTP specification. However, many people do not follow the HTTP specification when actually doing it, which can lead to many reasons for this problem, such as:
1. Many people use GET to update resources because they need to go to FORM to use POST, which will be a little troublesome.
2. The operation of adding, deleting, modifying, and checking resources can actually be completed through GET/POST, without the need to use PUT and DELETE.
3. Another is that early Web MVC framework designers did not consciously treat and design URLs as abstract resources, so a serious problem is that the traditional Web MVC framework basically only supports two HTTP methods, GET and POST, but does not support PUT and DELETE methods.
* A brief explanation of MVC: MVC originally existed in the Desktop program, M refers to the data model, V refers to the user interface, and C refers to the controller. The purpose of using MVC is to separate the implementation code of M and V, so that the same program can use different representations.
The above 3 points typically describe the old style (without strict adherence to the HTTP specification), with the development of the architecture, now there is REST (Representational State Transfer), a new style that supports the HTTP specification.
After talking about the principle problem, let's look at the difference between GET and POST from the surface phenomenon:
1. The data of the GET request will be attached to the URL (that is, the data is placed in the HTTP protocol header), and the ? Split the URL and transmit the data, and the parameters are connected by &, for example: login.action?name=hyddd&password=idontknow&verify=%E4%BD%A0%E5%A5%BD. If the data is English letters/numbers, send it as it is, if it is a space, convert it to +, if it is Chinese/other characters, then directly encrypt the string with BASE64 to get a sample such as: %E4%BD%A0%E5%A5%BD, where XX in %XX is the ASCII represented by the symbol in hexadecimal.
POST places the submitted data in the packet body of the HTTP packet.
2. "The maximum data submitted by GET method can only be 1024 bytes, theoretically there is no limit to POST, and a large amount of data can be transferred, up to 80KB in IIS4 and 100KB in IIS5"??!
The above sentence is redirected from other articles, in fact, it is wrong and inaccurate to say this:
(1). First of all, "the data submitted by GET method can only be 1024 bytes at most", because GET submits data through URL, so the amount of data that can be submitted by GET is directly related to the length of the URL. In fact, there is no upper parameter limit for URLs, and the HTTP protocol specification does not limit the length of URLs. This limit is a limitation imposed by a specific browser and server. IE's limit on URL length is 2083 bytes (2K+35). For other browsers like Netscape, FireFox, etc., there is no theoretical length limit, and its limit depends on the support of the operating system.
Note that this limits the entire URL length, not just your parameter value data length. [See Ref. 5]
(2). Theoretically, POST has no size limit, and the HTTP protocol specification does not have a size limit, and it is inaccurate to say that "there is a size limit of 80K/100K for POST data", and there is no limit to POST data, and it is the processing power of the server's handler that plays a limiting role.
For ASP programs, the Request object has a 100K data length limit when processing each form field. But with Request.BinaryRead there is no such limitation.
Extended from this, for IIS 6.0, Microsoft has increased the restrictions for security reasons. We also need to pay attention to:
1). IIS 6.0 defaults to a maximum of 200 KB of ASP POST data, and the limit is 100 KB per form field.
2). The default size of IIS 6.0 upload files is 4MB.
3). IIS 6.0 defaults to a maximum request header of 16KB.
These limitations were not available prior to IIS 6.0. [See Ref. 5]
So the above 80K and 100K may just be the default values (note: I haven't confirmed the parameters of IIS4 and IIS5 yet), but you can definitely set them yourself. Since the default values for these parameters are different in each version of IIS, please refer to the relevant IIS configuration document for details.
3. In ASP, the server uses Request.QueryString to obtain the GET request parameter and Request.Form to obtain the POST request parameter. In JSP, use request.getParameter(\"XXXX\") to get it, although there is also a request.getQueryString() method in jsp, but it is more troublesome to use, for example: send a test.jsp?name=hyddd&password=hyddd, and use request.getQueryString() to get :name= hyddd&password=hyddd。 In PHP, you can use $_GET and $_POST to get data from GET and POST respectively, while $_REQUEST can get data from both GET and POST requests. It is worth noting that there are hidden dangers in using request in JSP and $_REQUEST in PHP, which will be summarized in an article next time.
4.POST is more secure than GET. Note: The security mentioned here is not the same concept as the "security" mentioned in the GET above. For example, if you submit data through GET, your username and password will appear in plaintext on the URL, because (1) the login page may be cached by the browser, (2) others will view the browser's history, so others can get your account and password forgery attack.
To sum up, Get is a request to request data from the server, while Post is a request to submit data to the server, in FORM, Method defaults to "GET", in essence, GET and POST are just different sending mechanisms, not one takes and sends one!
|
Posted on 12/6/2014 10:54:55 AM
|
|
|
Posted on 12/7/2014 5:24:18 PM
