URL Parameters and Form Parameters

A parameter is a name=value pair that is passed automatically from the browser to the server. Typically, the parameters are used as input by a server-side script, for example, an ASP.

There are two kinds of parameters: A) URL parameters and B) Form parameters.

A) URL parameters (a.k.a. query strings) are passed to a server in two ways:

1. Hard-Coded URL. The general format for URL parameters in a link: <a href="filename.asp?param1=val1&param2=val2">link name</a>

   Example:

   <a href="asp-bin/products.asp?catID=1">link name</a>

2. Form Submitted Using Method="GET"
   
   When a form is submitted using "get", all form data is appended to the URL specified in the action attribute (and will be displayed in the URL location bar).
   
   Example: <form name="orderForm" action="../php/products.asp" method="GET"> ... </form> When the user clicks the submit button on the above form, the URL for the ASP on the server side will include the form data, and this will be displayed in the browser location bar:
   
   http://localhost/382/php/products.asp?catID=1&director=Will+Smith
   
   On the server side, the form parameters can be referenced by name in an PHP. Dreamweaver automates this process in a variety of ways. To see an example of code that can be hard-coded into the body of an ASP to display the values of URL parameters in a web page, read Displaying URL Parameters in the body of an ASP.

B) Form parameters: Form Submitted Using Method="POST"

When a form is submitted using "post", all form data is is sent in body of HTTP request and will not be displayed in the URL location bar. This method is preferred when, for example, the form includes a password or other confidential user data.

C) Differences between GET and POST. (From Programming PHP, by Ledorf & Tatroe, pp. 162-163.)

1. User's can bookmark URL query strings, since all the query parameters are encoded in the URL. This is not possible with Post requests.
   
   
2. The biggest difference is that the HTTP specification says Get requests are idempotent-- i.e. multiple Get requests always return the same page. Therefore, the browser can cache the response page. Get requests should not be used for any actions that cause a change in the server, like placing an order or updating a database.
   
   Post requests are not idempotent. This means they cannot be cached and the server is recontacted every time the page loads. You've probably seen your web browser prompt you with "Repost form data?" before displaying or reloading certain pages.
   
   This makes Post requests preferred for queries that are time-sensitive: e.g., time schedules, shopping carts, etc.
   

D) Question: What Request Method does Google's search page use to answer your query?

URL parameters can be passed to a third party

URL parameters appear as the "tail" of a URL, and are displayed in the location bar of your browser. The next site you request in your browser will receive that URL, parameters and all. This is because the HTTP header includes a Referrer field that is the URL of the page that made the request.

Example:

You open siteA.html, and fill in a form (method='get'), and click Submit, which automatically opens siteA.asp.

The page returned by siteA.asp displays in your browser; the URL parameters are displayed in the location bar.

You then click on a link which requests siteB.html-- the http header requesting siteB.html will include the URL parameters.

siteB's server logs will include your Referrer information; these logs, knowingly or unknowingly, may be publicly accessible. Thus you may become a target of "Referrer spam".

For more information, read HTTP Request fields and Request Methods