WWW FAQs: How do I keep form data out of the URL?


2007-03-30: "I made an HTML form and when I submit it, all the form data winds up in the URL. How do I keep it out of the URL?"

You are using a form element with the method attribute set to GET, or missing altogether. In 99% of cases, you should use the POST method instead.

Write your form element like this:


<form method="POST" action="yourpage.php">
<!-- Form elements go here, like always -->
</form>

This article assumes you already know the basics of handling form submissions on your website. If not, you should check out my article how can I receive form submissions? before reading on.

Understanding GET versus POST

What is the difference between the GET method and the POST method? What do they actually do?

The GET method packs all of your form fields into the URL. Here is an example of the URL that is created when you submit a form with just two input fields, name and color:


http://www.example.com/mypage.php?name=Bob&color=blue

For Experts: Exactly How Is That URL Formatted?

The format of a GET-method URL isn't all that hard to understand. Input field names are separated from their values by the = character, and the name/value pairs are separated by the & character.

That's not quite the whole story. Certain special characters could cause confusion if they appeared in the form data itself. Specifically, =, &, ", % and any characters that are not legal in a URL are "escaped" as %xx where xx is the ASCII code of the character in hexadecimal.

But you don't need to worry about this, because the web browser automatically does it for you when the user clicks the "submit" button of the form. Then the web server recognizes that there is a ? mark in the URL, slices off that part, and gives it to PHP (or ASP, or ASP.NET, or Perl's CGI.pm, or...) which automatically unpacks the data. And PHP programmers can then find it in the $_GET array.

That's it for GET. But how does the POST method work? If the data isn't in the URL, then where is it?

When a web browser talks to a web server, it can do more than simply transmit a URL. The browser can also hand over a "request body" containing additional data. And this is where the POST form data is submitted.

Since the request body is not part of the URL, it doesn't appear in the location bar.

When You Should Use GET

Is there ever a good reason to use the GET method for a form? Yes: when you want the results to be bookmarkable.

Here's an example: a user comes to a search engine. The user searches for 1952 Vincent Black Lightning and finds lots of good information on your site. Should they be able to bookmark the search results page? Sure, why not! And since the search engine probably doesn't have hundreds of form fields, we're in no danger of exceeding the maximum length of a URL. So we use the GET method intentionally, allowing the user to see the form submission in the URL. That means the user can bookmark it and repeat the search simply by selecting it from their favorites menu.

When You Should Use POST

When should you use the POST method? Almost all the time! But especially on a shopping site. Packing the user's personal data, such as their street address, into the URL causes anxiety and concern— no one likes to see their personal data popping up where they don't expect it. More importantly, forms that request any significant amount of information - such as a comment on a blog or guestbook, for instance - will quickly exceed the maximum length of a URL in the most popular web browser.

Another issue to consider: is it okay to submit this form the same way again? Will that have a useful result for the user, or will it do something unexpected or unpleasant? If submitting the form again with exactly the same data isn't really going to work, ues the POST method so that can't happen. And if submitting the data again will charge someone's credit card, don't even think about using the GET method!

For more information, see my article how can I receive form submissions?

Legal Note: yes, you may use sample HTML, Javascript, PHP and other code presented above in your own projects. You may not reproduce large portions of the text of the article without our express permission.

Got a LiveJournal account? Keep up with the latest articles in this FAQ by adding our syndicated feed to your friends list!