By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
455,743 Members | 1,780 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 455,743 IT Pros & Developers. It's quick & easy.

why use $_POST when you have $_SESSION?

P: n/a
Is there any particular reason I should still use $_POST?

Also, I'm reading mixed things about sessions. php.net says you can
propagate session IDs either via cookies or session IDs:
http://www.php.net/manual/en/ref.ses...sion.idpassing

OK cool.

However, PHP in a nutshell makes no mention of this. Paul just says
hey, use session_start() and you're on your way:

http://hudzilla.org/phpwiki/index.ph...s_and_sessions

I tested it out, and it works either way.

Can someone please explain what the session ID does?

Thanks!

Jan 26 '07 #1
Share this Question
Share on Google+
14 Replies


P: n/a
The session ID is simply the key to a record which exists on the server, and
this record contains whatever session data you write to it. This means that
different PHP pages which provide the same session ID will connect to the
same session data on the server. This is the way that one web page passes is
state to another web page.

BTW, $_POST and $_SESSION are totally different, and it is not a case of
using one or the other. You will always use $_POST when sending data from
the client to the server, while the use of $_SESSION is totally optional and
invisible to the client.

--
Tony Marston
http://www.tonymarston.net
http://www.radicore.org

"Sandman" <en*************@hotmail.comwrote in message
news:11**********************@h3g2000cwc.googlegro ups.com...
Is there any particular reason I should still use $_POST?

Also, I'm reading mixed things about sessions. php.net says you can
propagate session IDs either via cookies or session IDs:
http://www.php.net/manual/en/ref.ses...sion.idpassing

OK cool.

However, PHP in a nutshell makes no mention of this. Paul just says
hey, use session_start() and you're on your way:

http://hudzilla.org/phpwiki/index.ph...s_and_sessions

I tested it out, and it works either way.

Can someone please explain what the session ID does?

Thanks!

Jan 26 '07 #2

P: n/a
Tony Marston wrote:
You will always use $_POST when sending
data from the client to the server,
Except when you use $_GET or $_REQUEST
Jan 26 '07 #3

P: n/a
Rik
Paul Lautman <pa**********@btinternet.comwrote:
Tony Marston wrote:
> You will always use $_POST when sending
data from the client to the server,

Except when you use $_GET or $_REQUEST
GET's should only be used to retrieve data, $_REQUEST is usually just
sloppy code.
--
Rik Wasmus
Jan 26 '07 #4

P: n/a
Hi Tony,
I guess the part where I had a question was where it was absolutely
required to use session IDs. It seems like it is possible to fill a
value in $_SESSION['user'] in, say page1.php. Then you go to page2.php,
and that value is still there. So why try to remember SIDs?

I think I understand the difference between $_POST and $_SESSION,
thanks for clearing that up.

EL

On Jan 26, 2:18 am, "Tony Marston" <t...@NOSPAM.demon.co.ukwrote:
The session ID is simply the key to a record which exists on the server, and
this record contains whatever session data you write to it. This means that
different PHP pages which provide the same session ID will connect to the
same session data on the server. This is the way that one web page passes is
state to another web page.

BTW, $_POST and $_SESSION are totally different, and it is not a case of
using one or the other. You will always use $_POST when sending data from
the client to the server, while the use of $_SESSION is totally optional and
invisible to the client.

--
Tony Marstonhttp://www.tonymarston.nethttp://www.radicore.org

"Sandman" <enjoylife_95...@hotmail.comwrote in messagenews:11**********************@h3g2000cwc.go oglegroups.com...
Is there any particular reason I should still use $_POST?
Also, I'm reading mixed things about sessions. php.net says you can
propagate session IDs either via cookies or session IDs:
http://www.php.net/manual/en/ref.ses...sion.idpassing
OK cool.
However, PHP in a nutshell makes no mention of this. Paul just says
hey, use session_start() and you're on your way:
http://hudzilla.org/phpwiki/index.ph...s_and_sessions
I tested it out, and it works either way.
Can someone please explain what the session ID does?
Thanks!
Jan 27 '07 #5

P: n/a
I guess the part where I had a question was where it was absolutely
>required to use session IDs. It seems like it is possible to fill a
value in $_SESSION['user'] in, say page1.php. Then you go to page2.php,
and that value is still there. So why try to remember SIDs?
That value is still there *BECAUSE* you've got SIDs to tell you the first
hit is in the same session as the second hit. It's a database key.
>I think I understand the difference between $_POST and $_SESSION,
thanks for clearing that up.

Jan 27 '07 #6

P: n/a
NC
On Jan 26, 2:02 am, "Sandman" <enjoylife_95...@hotmail.comwrote:
>
Is there any particular reason I should still use $_POST?
Yes. Forms.
Also, I'm reading mixed things about sessions. php.net says you
can propagate session IDs either via cookies or session IDs:
http://www.php.net/manual/en/ref.ses...sion.idpassing
This is correct.
However, PHP in a nutshell makes no mention of this. Paul just says
hey, use session_start() and you're on your way:

http://hudzilla.org/phpwiki/index.ph...s_and_sessions
This is only partially correct. You can do this only if the client
accepts cookies.
I tested it out, and it works either way.
Disable cookies in your browser and try again. You will find that
session_start() doesn't do the trick anymore...
Can someone please explain what the session ID does?
It provides an alternative session propagation mechanism for clients
that don't accept cookies.

Cheers,
NC

Jan 27 '07 #7

P: n/a
Is there any particular reason I should still use $_POST?
>
Also, I'm reading mixed things about sessions. php.net says you can
propagate session IDs either via cookies or session IDs:
http://www.php.net/manual/en/ref.ses...sion.idpassing
...
Can someone please explain what the session ID does?
Let me summarize and extend the answers a bit:
You use $_POST, $_GET, or $_REQUEST for communication with the client.
For instance, if a user provides a login and a password, they come in
through $_POST (I hope).

You use $_SESSION for everything that is client-related, but should
remain on the server. For instance, all database IDs. If you keep the
UserID after a successful login, store it in a (new!) session and do not
put it in a hidden field. A hidden field is easily altered, which means
that after a successful login, you could simply "log over" to any other
user!

The session ID is something like a ticket with a number you get when
using the wardrobe of a theater. You get a piece of the theater's
storage space to put your personal belongings in, without the wardrobe
people know who you are. The only link between you and this temporarily
assigned space is the number on your ticket. So a session ID is a way of
anonimizing personally assigned space on the server.

Best regards.
Jan 27 '07 #8

P: n/a

"Paul Lautman" <pa**********@btinternet.comwrote in message
news:51*************@mid.individual.net...
Tony Marston wrote:
> You will always use $_POST when sending
data from the client to the server,

Except when you use $_GET or $_REQUEST
Wrong. $_GET is used to request data FROM the server, while $_POST is used
to send data TO the server.

--
Tony Marston

http://www.tonymarston.net
http://www.radicore.org

Jan 28 '07 #9

P: n/a
Tony Marston wrote:
"Paul Lautman" <pa**********@btinternet.comwrote in message
news:51*************@mid.individual.net...
>Tony Marston wrote:
>> You will always use $_POST when sending
data from the client to the server,
Except when you use $_GET or $_REQUEST

Wrong. $_GET is used to request data FROM the server, while $_POST is used
to send data TO the server.
No, Tony. $_GET is used to fetch information from the query string.
This can be from several sources - including <form action=get...>. But
$_GET is always used on the server, and the data always comes from the
browser.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attglobal.net
==================
Jan 28 '07 #10

P: n/a

"Jerry Stuckle" <js*******@attglobal.netwrote in message
news:wf******************************@comcast.com. ..
Tony Marston wrote:
>"Paul Lautman" <pa**********@btinternet.comwrote in message
news:51*************@mid.individual.net...
>>Tony Marston wrote:

You will always use $_POST when sending
data from the client to the server,
Except when you use $_GET or $_REQUEST

Wrong. $_GET is used to request data FROM the server, while $_POST is
used to send data TO the server.

No, Tony. $_GET is used to fetch information from the query string. This
can be from several sources - including <form action=get...>. But $_GET
is always used on the server, and the data always comes from the browser.
I disagree. The GET method is used to fetch data from the server and send it
to the client. The POST method is use to send data from the client to the
server. The GET method is bookmark-able, whereas the POST method is not.
This is the correct way as it is not good practice to bookmark a URL which
updates the server.

--
Tony Marston
http://www.tonymarston.net
http://www.radicore.org
Jan 28 '07 #11

P: n/a
Rik
Tony Marston <to**@NOSPAM.demon.co.ukwrote:
>
"Jerry Stuckle" <js*******@attglobal.netwrote in message
news:wf******************************@comcast.com. ..
>Tony Marston wrote:
>>"Paul Lautman" <pa**********@btinternet.comwrote in message
news:51*************@mid.individual.net...
Tony Marston wrote:

You will always use $_POST when sending
data from the client to the server,
Except when you use $_GET or $_REQUEST

Wrong. $_GET is used to request data FROM the server, while $_POST is
used to send data TO the server.

No, Tony. $_GET is used to fetch information from the query string.
This
can be from several sources - including <form action=get...>. But $_GET
is always used on the server, and the data always comes from the
browser.

I disagree. The GET method is used to fetch data from the server and
send it
to the client. The POST method is use to send data from the client to the
server. The GET method is bookmark-able, whereas the POST method is not.
This is the correct way as it is not good practice to bookmark a URL
which
updates the server.
In both cases data is sent to the server. However, GET should only be used
to retrieve (specific) data, POST can be used to alter(add/delete/edit)
data. That's what was meant I'd say.
--
Rik Wasmus
Jan 28 '07 #12

P: n/a
Tony Marston wrote:
"Jerry Stuckle" <js*******@attglobal.netwrote in message
news:wf******************************@comcast.com. ..
>Tony Marston wrote:
>>"Paul Lautman" <pa**********@btinternet.comwrote in message
news:51*************@mid.individual.net...
Tony Marston wrote:

You will always use $_POST when sending
data from the client to the server,
Except when you use $_GET or $_REQUEST
Wrong. $_GET is used to request data FROM the server, while $_POST is
used to send data TO the server.
No, Tony. $_GET is used to fetch information from the query string. This
can be from several sources - including <form action=get...>. But $_GET
is always used on the server, and the data always comes from the browser.

I disagree. The GET method is used to fetch data from the server and send it
to the client. The POST method is use to send data from the client to the
server. The GET method is bookmark-able, whereas the POST method is not.
This is the correct way as it is not good practice to bookmark a URL which
updates the server.
I know you disagree, Tony. It's just another example of your
stoopidity. Not understanding what's going on.

Even though I know it's hopeless, here's an attempt to educate you.

GET and POST are both methods of requesting data from the server. Both
are sent by the browser to request a page from the server. They include
the URI to be retrieved.

The only difference between them is how they send specific data to the
server. The GET method includes parameters int he URI string. The POST
method sends the data as a separate string, similar to the way cookies
are sent. The only time the browser will send a POST request is in
response to a form with an method=post. However, you can POST to a form
yourself, i.e. by opening a socket and sending a POST request. That's
what CURL does when requested, for instance. Or, you can do it manually
(although I don't recommend it - it gets a bit complex).

Both are bookmarkable. The difference is that when you use a bookmark,
your browser will always do a GET, even if the original request was a
POST. This may or may not be important. For instance, often times a
form submits back to itself for parameter checking. In this case, you
would only have to fill in the data itself. If, however, the form
required data, you would get an error from the form itself.

I know all this is wasted on you, Tony. But maybe someone else will
learn from it.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attglobal.net
==================
Jan 28 '07 #13

P: n/a
On Jan 28, 10:51 am, Jerry Stuckle <jstuck...@attglobal.netwrote:
Tony Marston wrote:
"Jerry Stuckle" <jstuck...@attglobal.netwrote in message
news:wf******************************@comcast.com. ..
Tony Marston wrote:
"Paul Lautman" <paul.laut...@btinternet.comwrote in message
news:51*************@mid.individual.net...
Tony Marston wrote:
>>> You will always use $_POST when sending
data from the client to the server,
Except when you use $_GET or $_REQUEST
Wrong. $_GET is used to request data FROM the server, while $_POST is
used to send data TO the server.
No, Tony. $_GET is used to fetch information from the query string. This
can be from several sources - including <form action=get...>. But $_GET
is always used on the server, and the data always comes from the browser.
I disagree. The GET method is used to fetch data from the server and send it
to the client. The POST method is use to send data from the client to the
server. The GET method is bookmark-able, whereas the POST method is not.
This is the correct way as it is not good practice to bookmark a URL which
updates the server.

I know you disagree, Tony. It's just another example of your
stoopidity. Not understanding what's going on.

Even though I know it's hopeless, here's an attempt to educate you.

GET and POST are both methods of requesting data from the server. Both
are sent by the browser to request a page from the server. They include
the URI to be retrieved.

The only difference between them is how they send specific data to the
server. The GET method includes parameters int he URI string. The POST
method sends the data as a separate string, similar to the way cookies
are sent. The only time the browser will send a POST request is in
response to a form with an method=post. However, you can POST to a form
yourself, i.e. by opening a socket and sending a POST request. That's
what CURL does when requested, for instance. Or, you can do it manually
(although I don't recommend it - it gets a bit complex).

Both are bookmarkable. The difference is that when you use a bookmark,
your browser will always do a GET, even if the original request was a
POST. This may or may not be important. For instance, often times a
form submits back to itself for parameter checking. In this case, you
would only have to fill in the data itself. If, however, the form
required data, you would get an error from the form itself.

I know all this is wasted on you, Tony. But maybe someone else will
learn from it.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstuck...@attglobal.net
==================
Just to add on to what you were saying: the application that receives
the POST request on the server takes in the data through the STDIN
stream. POST requests can accommodate more data. Rik summed up the
purposes for using each pretty nicely. One should not allow records
from a database to altered through a URI, like this, for example:
http://example.com/admin/?delete=some_ID. I used this when I was still
new to PHP and Web programming.

If only I had known about this newsgroup a long time ago, I probably
would've avoided more pitfalls earlier. ;-)

--
Curtis

Jan 30 '07 #14

P: n/a
On Jan 28, 11:51 pm, Jerry Stuckle <jstuck...@attglobal.netwrote:
>>> You will always use $_POST when sending
data from the client to the server,
Except when you use $_GET or $_REQUEST
Wrong. $_GET is used to request data FROM the server, while $_POST is
used to send data TO the server.
No, Tony. $_GET is used to fetch information from the query string. This
can be from several sources - including <form action=get...>. But $_GET
is always used on the server, and the data always comes from the browser.
I disagree. The GET method is used to fetch data from the server and send it
to the client. The POST method is use to send data from the client to the
server. The GET method is bookmark-able, whereas the POST method is not.
This is the correct way as it is not good practice to bookmark a URL which
updates the server.

I know you disagree, Tony. It's just another example of your
stoopidity. Not understanding what's going on.

Even though I know it's hopeless, here's an attempt to educate you.

GET and POST are both methods of requesting data from the server. Both
are sent by the browser to request a page from the server. They include
the URI to be retrieved.

The only difference between them is how they send specific data to the
server. The GET method includes parameters int he URI string. The POST
method sends the data as a separate string, similar to the way cookies
are sent. The only time the browser will send a POST request is in
response to a form with an method=post. However, you can POST to a form
yourself, i.e. by opening a socket and sending a POST request. That's
what CURL does when requested, for instance. Or, you can do it manually
(although I don't recommend it - it gets a bit complex).
Also since GET method includes parameters in the URL list, it is not
preferred since you would not want the user data moving across in the
URL which could be easily played around. Ok, then you could encrypt
and send the data in the URL but then there is a limit on the amount
of data you can transfer using GET in the URL.

<snip>

Jan 30 '07 #15

This discussion thread is closed

Replies have been disabled for this discussion.