Difference Between $_GET and $_POST in PHP
This article explains the primary differences between the
$_GET and $_POST superglobal variables in PHP.
It covers how they transmit data, their security implications, storage
limits, and the specific scenarios where you should use one over the
other.
The Core Difference
The fundamental difference between $_GET and
$_POST lies in how they send data to the
server.
$_GETsends data by appending it to the URL as query parameters.$_POSTsends data invisibly within the body of the HTTP request.
Detailed Comparison
To choose the right method for your PHP application, you must understand how they differ across several key areas:
1. Security
$_GETis insecure for sensitive data. Because the data is appended to the URL, it is visible in the browser address bar. It also gets stored in the browser’s history, web server logs, and can be cached by proxy servers. Never use$_GETfor passwords, credit card numbers, or other sensitive information.$_POSTis more secure. Data is sent within the HTTP request body, meaning it is not visible in the URL or stored in browser history. However, for absolute security, you must still use HTTPS to encrypt the transit of$_POSTdata.
2. Data Limits
$_GEThas strict limits. Since URLs have length restrictions imposed by browsers and web servers (usually around 2,048 characters),$_GETis unsuitable for sending large amounts of data.$_POSThas no theoretical limit. It can be used to send large amounts of data, including file uploads and multi-part form submissions. The only limits are those configured in your server’sphp.inifile (such aspost_max_sizeandupload_max_filesize).
3. Bookmarking and Caching
$_GETrequests can be bookmarked and cached. Since all variables are part of the URL, users can bookmark a specific query result or share the link with others.$_POSTrequests cannot be bookmarked. If a user attempts to bookmark a page generated by a$_POSTsubmission, the bookmark will only save the URL, not the submitted data. Reloading a$_POSTpage will also trigger a browser warning asking the user to resubmit the form.
Quick Reference Summary
| Feature | $_GET |
$_POST |
|---|---|---|
| Data Location | URL Query String | HTTP Request Body |
| Visibility | Public (visible in URL) | Hidden from URL |
| Max Capacity | ~2,048 characters | No limit (configurable) |
| Security | Low (unsuitable for sensitive data) | Medium (suitable for sensitive data with HTTPS) |
| Can be Bookmarked? | Yes | No |
| Can be Cached? | Yes | No |
When to Use Which?
Use $_GET when:
- The submission is a simple query that retrieves data from the database without modifying it (idempotent actions).
- You want the user to be able to bookmark, share, or refresh the page results (e.g., search engines, product filters, category pages).
Use $_POST when:
- The submission modifies data on the server (e.g., creating a new user account, updating a database, or deleting a record).
- You are transmitting sensitive information like passwords, API keys, or personal details.
- You are uploading files (images, documents) or sending large blocks of text.