PHP $_GET & $_POST (Complete Guide with Examples)

When working with PHP, handling user input is crucial. PHP provides two main ways to collect form data:

$_GET → Sends data via the URL (query string)
$_POST → Sends data hidden in the HTTP request body

Understanding when to use each method is essential for security and performance.

Understanding $_GET (Sending Data via URL)

How `$_GET` Works in PHP

Sends data via the URL (?key=value).
Useful for retrieving data (e.g., search queries, filters).
Not secure for sending sensitive information (passwords, credit cards).
Limited to 2,048 characters in most browsers.

Example: Using `$_GET`

Create an HTML Form (`get-form.html`)

<form action="get-handler.php" method="GET">
    <label for="name">Enter Name:</label>
    <input type="text" name="name" id="name">
    <button type="submit">Submit</button>
</form>

Handle Data in PHP (get-handler.php)

<?php
if (isset($_GET['name'])) {
    $name = $_GET['name'];
    echo "Hello, " . htmlspecialchars($name);
}
?>

URL Example:
get-handler.php?name=John

Output:
Hello, John

Tip: Use htmlspecialchars() to prevent XSS (Cross-Site Scripting) attacks.

Understanding $_POST (Sending Data Securely)

How `$_POST` Works

Sends data in the HTTP request body (hidden from URL).
Used for secure form submissions (login, registration).
No length restrictions.
More secure than $_GET (data isn’t stored in browser history).

Example: Using `$_POST`

Create an HTML Form (`post-form.html`)

<form action="post-handler.php" method="POST">
    <label for="email">Enter Email:</label>
    <input type="email" name="email" id="email">
    <button type="submit">Submit</button>
</form>

Handle Data in PHP (post-handler.php)

<?php
if ($_SERVER["REQUEST_METHOD"] == "POST" && isset($_POST['email'])) {
    $email = $_POST['email'];
    echo "Submitted Email: " . htmlspecialchars($email);
}
?>

Output (No data in URL):
Submitted Email: example@gmail.com

Secure – Data isn’t visible in the browser history.

Key Differences Between $_GET and $_POST

Feature	`$_GET`	`$_POST`
Data Sent	URL query string	HTTP request body
Visibility	Visible in URL	Hidden from URL
Security	Less secure (exposed in logs)	More secure
Use Case	Fetching data (search, filters)	Sending sensitive data (login, forms)
Data Limit	2,048 characters	No limit
Caching	Can be cached	Cannot be cached

Use $_GET for:

Retrieving data (e.g., search.php?query=PHP)
Bookmarkable or shareable URLs

Use $_POST for:

Submitting sensitive data (passwords, forms)
Operations that modify data (e.g., registration, file uploads)

Handling $_GET and $_POST Securely

A. Preventing XSS (Cross-Site Scripting)

Always sanitize user input before displaying it.

$name = htmlspecialchars($_GET['name'], ENT_QUOTES, 'UTF-8');

B. Validating Input Data

if (filter_var($_POST['email'], FILTER_VALIDATE_EMAIL)) {
    echo "Valid Email!";
} else {
    echo "Invalid Email!";
}

C. Using `isset()` to Prevent Errors

if (isset($_GET['id'])) {
    echo "User ID: " . $_GET['id'];
} else {
    echo "No ID provided.";
}

Combining $_GET and $_POST ($_REQUEST)

PHP provides $_REQUEST, which contains both $_GET and $_POST data.

<?php
if (isset($_REQUEST['username'])) {
    echo "Hello, " . htmlspecialchars($_REQUEST['username']);
}
?>

Caution: Avoid using $_REQUEST for sensitive data as it can mix GET and POST data, leading to security risks.

Advanced Example: Login Form (login.php)

<form action="login-handler.php" method="POST">
    <label for="username">Username:</label>
    <input type="text" name="username" id="username" required>
    
    <label for="password">Password:</label>
    <input type="password" name="password" id="password" required>
    
    <button type="submit">Login</button>
</form>

`login-handler.php` (Processing Login Form Securely)

<?php
if ($_SERVER["REQUEST_METHOD"] == "POST") {
    $username = trim($_POST['username']);
    $password = $_POST['password']; // Never store raw passwords!

    // Example (use database instead of hardcoded values)
    if ($username === "admin" && $password === "12345") {
        echo "Login Successful!";
    } else {
        echo "Invalid Credentials!";
    }
}
?>

Best Practice: Always hash passwords using password_hash() before storing them in a database.

When to Use $_GET vs. $_POST (Real-World Examples)

Scenario	Recommended Method
Search engine queries (`search.php?query=PHP`)	`$_GET`
Contact forms, login, signup	`$_POST`
E-commerce product pages (`product.php?id=123`)	`$_GET`
File uploads	`$_POST`
API requests sending large data	`$_POST`
Bookmarkable URLs	`$_GET`

PHP $_GET & $_POST (Complete Guide with Examples)

Understanding $_GET (Sending Data via URL)

How $_GET Works in PHP

Example: Using $_GET

Create an HTML Form (get-form.html)