W3C home > Mailing lists > Public > www-talk@w3.org > November to December 2002

Re: Query Parameters in POST method

From: S. Mike Dierken <mdierken@hotmail.com>
Date: Wed, 20 Nov 2002 22:14:11 -0800
To: <www-talk@w3.org>
Cc: <Diwakar.Shetty@oracle.com>
Message-ID: <OE46mXd8e73CrplLBZp0000b5aa@hotmail.com>


The URI identifies the resource you are sending data to - and that URI might
use query terms to identify itself.
The body of the request is the actual data being posted. The query terms
merely identify what resource (think 'object' sort of) you are talking to.
You could POST binary data, not just name/value pairs like an HTML form
does - and still use query terms to identify the target resource.
The target resource in this case is like a container for the POSTed data.
Perhaps a discussion and the content of the request message is a new
comment.

It's interesting that the wording of the RFC uses 'submission of data' and
'GET' in the same sentence. There is no data being submitted when you use
GET - it has no body. The URI might have query terms and that indeed should
not hold sensitive information - but it is confusing to talk about
'submission of data' as if GET does an update or something.

mike

----- Original Message -----
From: "Diwakar Shetty" <Diwakar.Shetty@oracle.com>
To: <www-talk@w3.org>
Sent: Wednesday, November 20, 2002 9:26 PM
Subject: Re: Query Parameters in POST method


>
> Thanks Ian
>
> I went through RFC 2616
>
> Indeed, there is no mention about restrictions on URI/URL so far as POST
method is concerned.
>
> The only thing suggested in the RFC is that
> -----------------------------------------------------------------------
> 15.1.3 Encoding Sensitive Information in URI's
>    Authors of services which use the HTTP protocol SHOULD NOT use GET
>    based forms for the submission of sensitive data, because this will
>    cause this data to be encoded in the Request-URI
> -----------------------------------------------------------------------
>
> Thanks
> Diwakar
>
>
> Ian Clelland wrote:
>
> > On Wed, Nov 20, 2002 at 08:25:57PM +0530, Diwakar Shetty wrote:
> > > In case the method in a URL is a POST method,
> > > then is that the query parameters are ignored.
> > >
> > > e.g:
> > > POST /www.google.com/search?hl=en&ie=UTF
> > >
> > > Will this result in the the query parameters "hl=en&ie=UTF" to be
ignored as per HTTP standards ??
> >
> > Actually, the HTTP standard doesn't say anything about GET query
> > parameters, or how they relate to POST entities. As far as HTTP is
> > concerned, "/search?hl=en&ie=UTF" is the entire URL.
> >
> > In fact, HTTP doesn't even know anything about "parameters" as such. The
> > standard for encoding form variables in "name=value&name2=value2" format
> > is defined in the HTML specifications. All that HTTP sees is URLs and
> > data attached to POST requests. It is up to the server to decide what to
> > do with the URL it receives in the request, as well as with the attached
> > POST entity.
> >
> > If a query parameter is specified both as part of the URL and in POST
> > data, some applications (such as PHP) will only take one instance --
> > which one depends on the server configuration. In other applications,
> > such as a CGI, the program will have access to both parameters.
> >
> > So, while some people have already replied to your query with "no" or "I
> > can read both", the answer is really 'it depends'. The HTTP standard
> > doesn't say to ignore any data that comes in, but the data that you will
> > have access to depends on the server-side applications you run.
> >
> > Hope this helps,
> >
> > Ian Clelland
> > <ian@veryfresh.com>
>
Received on Thursday, 21 November 2002 01:13:32 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 27 October 2010 18:14:27 GMT