Link to home
Start Free TrialLog in
Avatar of curiouswebster
curiouswebsterFlag for United States of America

asked on

Passing data in the URL params

Sometimes, I need to pass data in the URL. Is this considered bad practice?

Something like:
URL: https://mydomain.com/mailing?fc=123&uc=456&fname=TERESA&lname=LINDSEY

What are my options?

And what about creating a "blob" on characters and passing that in? It will be my PHP on the receiving end, so I could easily encode and decode this.

Thanks
ASKER CERTIFIED SOLUTION
Avatar of Bembi
Bembi
Flag of Germany image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Also make sure to filter your input to prevent cross site scripting (XSS) attacks.
For a detailed description of XSS, see this link.
To properly answer this question we need to look at how URL's are meant to be used.

HTTP requests are based on Verbs
GET, POST, PUT, DELETE, etc

These Verbs have meaning
GET - retrieve a resource from the server
POST - create a new resource
PUT - update a resource
DELETE - remove a resource
And so on.

When we request a resource from the server (GET) it can be as a simple request
http://mydomain.com/mypage.html

Open in new window

Or it can be parameterised
https://mydomain.com/myscript.php?name=bob&status=active

Open in new window

In the second case the parameters are used to help the script determine what information to send back.

Likewise when we want to create a data item on the server we would issue a POST and put the data we are wanting to update in the body of the message in whatever format the receiving script is expecting (JSON, Form Encoded, XML, etc)

When we use one Verb to perform an operation that is technically in the domain of another Verb (for instance using a GET to update or create a resource on the server) this is considered bad practice.

If the example you gave above is to retrieve information then not only is it not bad practice, in many cases it is necessary to ensure that the right data is retrieved.


Avatar of curiouswebster

ASKER

In my case, I want to make a POST, but pass in the data (URL params) which I need to insert into the database.
@Sam Jacobs.
Don't you mean to filter the input params to block SQL Injection attacks?
Yes. For example, make sure there are no JavaScript tags.

n my case, I want to make a POST, but pass in the data 

Why do you want to do it this way?