We help IT Professionals succeed at work.

how to post data safely via web form

BR asked
Dear Experts,

which one is more secure to post data for html form?

<form  method="post" >


<form  method="post" enctype="multipart/form-data" >

or anything you suggest?

I use PHP and HTML
Watch Question

BRDigital Marketing


is it safer to use it like this?

<form method="post" enctype="application/x-www-form-urlencoded">
Anything you post is not safer unless it's really encrypted. Therefore, it's not about your POST code, it's about if it's travelling over HTTP or HTTPS.
BRDigital Marketing


let me say that, my link is https, and I use post method,

If you use https, it doesn't really matter what POST method you use.
David FavorFractional CTO
Distinguished Expert 2018
As Kimputer said. You level of safety depends on your SSL cert + SSL Webserver config.

https://www.ssllabs.com/ssltest/ will give you an overview of quality of your SSL setup.

https://www.ssllabs.com/ssltest/ has been providing free + strong certs for years, so for me, I only setup HTTPS sites at this point.

If a client asks me to host a non-HTTPS site, I send them away.

HTTPS is your friend. Make HTTPS one of your first site setup steps + all your over the wire conversations will be secure.
Dave BaldwinFixer of Problems
Most Valuable Expert 2014
<form method="post" enctype="application/x-www-form-urlencoded">  is not about safety.  File uploads and some other forms require that to work properly.
Scott FellDeveloper & EE Moderator
Fellow 2018
Most Valuable Expert 2013

To add clarity, the encrypt type is not about encryption.  


This attribute lets you specify the value of the Content-Type HTTP header included in the request generated when the form is submitted. This header is very important because it tells the server what kind of data is being sent. By default, its value is application/x-www-form-urlencoded. In human terms, this means: "This is form data that has been encoded into URL parameters."

Then as Dave mentioned if you want to upload a file, then you would use multipart/form-data .

Then others have mentioned that using https is the way to go over http. That is also correct.

However, what has been left out is accepting data and mitigating Cross Site Scripting https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet and accepting clean data. It does not matter if you are using https or not, accepting bad data can be harmful to your app and database.  Both of these would warrant their own question threads.