php 使用 POST 方法隐藏 URL 参数
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/7906329/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Using POST method to hide URL parameters
提问by Alex
I understand that I am able to use the POST method for URL parameters to display data according to a specific variable, I know how to make use of the GET method - but I am told that the POST method can be used to hide the part of the URL that is like this.
我知道我可以使用 URL 参数的 POST 方法根据特定变量显示数据,我知道如何使用 GET 方法 - 但我被告知 POST 方法可用于隐藏部分这样的网址。
/data.php?parameter=1234
What is the actual difference of the two methods in terms of URL parameters?
这两种方法在 URL 参数方面的实际区别是什么?
Below is some code that fetches data from a database according to the id of a specific link
下面是一些根据特定链接的 id 从数据库中获取数据的代码
<?php
//This includes the variables, adjusted within the 'config.php file' and the functions from the 'functions.php' - the config variables are adjusted prior to anything else.
require('configs/config.php');
require('configs/functions.php');
//This is the actual interaction with the database, according to the id.
$query = mysql_query("SELECT * FROM table WHERE id=" .$_GET['id'] . ";") or die("An error has occurred");
//This re-directs to an error page the user preventing them from viewing the page if there are no rows with data equal to the query.
if( mysql_num_rows($query) < 1 )
{
header('Location: 404.php');
exit;
}
//Here each cell in the database is fetched and assigned a variable.
while($row = mysql_fetch_array($query))
{
$id = $row['id'];
$title = $row['title'];
$month = $row['month'];
$day = $row['day'];
$photo = $row['photo'];
$text = $row['text'];
}
?>
On a separate page I generate links to the data.php file according to the ID like so:
在单独的页面上,我根据 ID 生成指向 data.php 文件的链接,如下所示:
<a href="post.php?id=<?php echo $content['id']; ?>"><?php echo $content['title']; ?></a>
Forgetting that there are potential SQL injections that can occur through the above code, how would I go about making use of the POST method in order to hide the URL parameters, or at least not display them like this:
忘记了通过上面的代码可能会发生潜在的 SQL 注入,我将如何使用 POST 方法来隐藏 URL 参数,或者至少不会像这样显示它们:
http://example.com/data.php?id=1
采纳答案by Dan Breen
In order to use POST, you will need to use a <form>tag, and depending on how you are pulling up these URLs, it could be easier to use javascript to help out. Here's a basic example:
为了使用 POST,您需要使用一个<form>标签,并且根据您提取这些 URL 的方式,使用 javascript 来提供帮助可能会更容易。这是一个基本示例:
<form method="post" action="data.php">
<input type="hidden" name="parameter" value="1234" />
<input type="submit" value="Go" />
</form>
The Go button would POST the form data, and now in data.php you will be able to retrieve the value from $_POST['parameter']. Note that when using POST, you will probably want to redirect (HTTP 302) back to a page so that when a user hits the back button, the browser doesn't prompt to resubmit the form.
Go 按钮将 POST 表单数据,现在在 data.php 中,您将能够从$_POST['parameter']. 请注意,在使用 POST 时,您可能希望将 (HTTP 302) 重定向回页面,以便当用户点击后退按钮时,浏览器不会提示重新提交表单。
Using javascript, you could set the parameterinput to a different value before posting the form.
使用 javascript,您可以parameter在发布表单之前将输入设置为不同的值。
回答by Amir Md Amiruzzaman
Use method "POST" for your form. I had the same issue, just adding POST to the form removed the parameters from the URL
为您的表单使用方法“POST”。我遇到了同样的问题,只需在表单中添加 POST 即可从 URL 中删除参数
<form id="abc" name="abc" action="someaction.php" method="post">
<input type="text" id="username" name="username"/>
<input type="password" id="password" name="password"/>
<input type="submit" id="submit" name="submit" value="submit"/>
</form>
回答by Jeff Warnica
To POST values, a browser would have to use a form with method="post", or javascript simulating a form. Various developer tools (fireug, etc) can convert GET forms to POST forms, but generally, a form is what is required.
要 POST 值,浏览器必须使用带有 method="post" 的表单,或者使用 javascript 模拟表单。各种开发工具(fireug 等)可以将 GET 表单转换为 POST 表单,但通常需要一个表单。
In theory GET requests should not have any side effects, and "should" be consistent from request to request. That is, the server should return the same content. In todays world of just about everything being dynamic, this might be of little practical design significance.
理论上 GET 请求不应该有任何副作用,并且“应该”从请求到请求保持一致。也就是说,服务器应该返回相同的内容。在当今几乎所有事物都是动态的世界中,这可能没有什么实际的设计意义。
回答by wberry
Whether you use GET or POST, the parameters will appear in $_REQUEST. The critical difference is that using POST allows the variables NOT to appear in URL history. This decreases the visibility of data such as passwords which you do not want to show up in URL history. To use POST instead of GET, simply produce <form method="POST" ...>in the document.
无论使用 GET 还是 POST,参数都会出现在$_REQUEST. 关键区别在于使用 POST 允许变量不会出现在 URL 历史记录中。这会降低您不想在 URL 历史记录中显示的数据(例如密码)的可见性。要使用 POST 而不是 GET,只需<form method="POST" ...>在文档中生成。
Even better is to store sensitive values (like user ids) in cookies, so that they don't appear in $_REQUESTat all. Since the contents of cookies are provided in extra HTTP request headers, not in the content, they are generally not stored as part of the history.
更好的是将敏感值(如用户 ID)存储在 cookie 中,以便它们根本不会出现$_REQUEST。由于 cookie 的内容是在额外的 HTTP 请求标头中提供的,而不是在内容中,因此它们通常不会作为历史记录的一部分存储。
回答by lambinator
In order to use POST instead of GET, you would need to use an HTML form tag in your html, like so:
为了使用 POST 而不是 GET,您需要在 html 中使用 HTML 表单标签,如下所示:
<form method="POST" action="/data.php">
<input type="hidden" name="parameter" value="1234" />
<button type="submit">Submit</button>
</form>
When submitted, your URL will just be /data.phpand parameter=1234 will be in your (hidden) post buffer.
提交后,您的 URL 将只是/data.php并且 parameter=1234 将在您的(隐藏的)发布缓冲区中。
Make sense?
有道理?
回答by Marc B
To do a POST, you have to use a form, or some javascript/ajax trickery. An <a>will only ever cause a GET request.
要进行 POST,您必须使用表单或一些 javascript/ajax 技巧。An<a>只会导致 GET 请求。
Note that POST requests can still have query parameters in the URL. It's not "normal" to have them, but they are allowed. The main difference being that with a GET request (ignoring cookies), the URL is the ONLYway to send parameters/data to the server. With POST, you can use both the URL, and the body of the POST request, which is where POSTed form data is normally placed.
请注意,POST 请求仍然可以在 URL 中包含查询参数。拥有它们并不“正常”,但它们是被允许的。主要区别在于,对于 GET 请求(忽略 cookie),URL 是将参数/数据发送到服务器的唯一方式。使用 POST,您可以同时使用 URL 和 POST 请求的主体,这是通常放置 POST 表单数据的位置。
