64

I'd like to know if the POST method on HTTP sends data as a QueryString, or if it use a special structure to pass the data to the server.

In fact, when I analyze the communication with POST method from client to server (with Fiddler for example), I don't see any QueryString, but a Form Body context with the name/value pairs.

alex
  • 6,818
  • 9
  • 52
  • 103
kwichz
  • 2,363
  • 5
  • 23
  • 25
  • 3
    as far as i know its actually the same with GET, the only difference is that the query string is not appended to the url – lock May 03 '11 at 23:19
  • 2
    I'd always thought only GET did the query string, but http://en.wikipedia.org/wiki/POST_%28HTTP%29 says the same as lock. Interesting. – morewry May 03 '11 at 23:20

5 Answers5

54

The best way to visualize this is to use a packet analyzer like Wireshark and follow the TCP stream. HTTP simply uses TCP to send a stream of data starting with a few lines of HTTP headers. Often this data is easy to read because it consists of HTML, CSS, or XML, but it can be any type of data that gets transfered over the internet (Executables, Images, Video, etc).

For a GET request, your computer requests a specific URL and the web server usually responds with a 200 status code and the the content of the webpage is sent directly after the HTTP response headers. This content is the same content you would see if you viewed the source of the webpage in your browser. The query string you mentioned is just part of the URL and gets included in the HTTP GET request header that your computer sends to the web server. Below is an example of an HTTP GET request to http://accel91.citrix.com:8000/OA_HTML/OALogout.jsp?menu=Y, followed by a 302 redirect response from the server. Some of the HTTP Headers are wrapped due to the size of the viewing window (these really only take one line each), and the 302 redirect includes a simple HTML webpage with a link to the redirected webpage (Most browsers will automatically redirect any 302 response to the URL listed in the Location header instead of displaying the HTML response):

HTTP GET with 302 redirect

For a POST request, you may still have a query string, but this is uncommon and does not have anything to do with the data that you are POSTing. Instead, the data is included directly after the HTTP headers that your browser sends to the server, similar to the 200 response that the web server uses to respond to a GET request. In the case of POSTing a simple web form this data is encoded using the same URL encoding that a query string uses, but if you are using a SOAP web service it could also be encoded using a multi-part MIME format and XML data.

For example here is what an HTTP POST to an XML based SOAP web service located at http://192.168.24.23:8090/msh looks like in Wireshark Follow TCP Stream:

HTTP POST TCP Stream

Greg Bray
  • 14,929
  • 12
  • 80
  • 104
  • 1
    Great answer - just might want to clarify from [rfc3986 3.4](https://tools.ietf.org/html/rfc3986#section-3.4) "The query component contains non-hierarchical data that, along with data in the path component (Section 3.3), serves to identify a resource". Meaning, in the context of a POST, the query represents non-hierarchical data pointing to the resource you're posting to. The best example I can think of is a database table with composite PKs. E.g. a person table with pks of name and age "/person?name=matt&age=80" in lieu of a single pk where the url might be "/person/146" – aaaaaa Jun 03 '16 at 07:30
30

Post uses the message body to send the information back to the server, as opposed to Get, which uses the query string (everything after the question mark). It is possible to send both a Get query string and a Post message body in the same request, but that can get a bit confusing so is best avoided.

Generally, best practice dictates that you use Get when you want to retrieve data, and Post when you want to alter it. (These rules aren't set in stone, the specs don't forbid altering data with Get, but it's generally avoided on the grounds that you don't want people making changes just by clicking a link or typing a URL)

Conversely, you can use Post to retrieve data without changing it, but using Get means you can bookmark the page, or share the URL with other people, things you couldn't do if you'd used Post.

As for the actual format of the data sent in the message body, that's entirely up to the sender and is specified with the Content-Type header. If not specified, the default content-type for HTML forms is application/x-www-form-urlencoded, which means the server will expect the post body to be a string encoded in a similar manner to a GET query string. However this can't be depended on in all cases. RFC2616 says the following on the Content-Type header:

Any HTTP/1.1 message containing an entity-body SHOULD include a
Content-Type header field defining the media type of that body. If
and only if the media type is not given by a Content-Type field, the
recipient MAY attempt to guess the media type via inspection of its
content and/or the name extension(s) of the URI used to identify the
resource. If the media type remains unknown, the recipient SHOULD
treat it as type "application/octet-stream".

GordonM
  • 31,179
  • 15
  • 87
  • 129
  • But what send? A query string? As said before, on jQuery, if I try to send this string data: param1=1&param2', using POST and AJAX, it automatically convert this QueryString putting these variabiles in the body of the request :) – kwichz May 04 '11 at 16:25
  • What's sent is entirely up to you. By default it's a string encoded like a query string, but it could be JSON, XML, plain text, even binary data. The Content-Type header tells the server what kind of data to expect in the POST body. – GordonM Feb 23 '16 at 18:55
  • "If not specified, the default content-type is application/x-www-form-urlencoded" — That's for HTML forms, not in general. – Quentin Feb 09 '18 at 12:09
  • @Quentin You're right, I checked the RFC and updated the answer. – GordonM Feb 12 '18 at 10:10
23

A POST request can include a query string, however normally it doesn't - a standard HTML form with a POST action will not normally include a query string for example.

Justin
  • 84,773
  • 49
  • 224
  • 367
  • 1
    is it secure if post contains query string? I mean like how about the data passed through query string? – Yohanim Jun 23 '21 at 03:50
5

GET will send the data as a querystring, but POST will not. Rather it will send it in the body of the request.

ataddeini
  • 4,931
  • 26
  • 34
  • 1
    Uhm...that's strange anyway! If, on jQuery, I try to send this string `data: param1=1&param2',` using POST and AJAX, it automatically convert this `QueryString` putting these variabiles in the body of the request :) – kwichz May 04 '11 at 10:14
  • Straight to the point. This is the most simple concept regarding the difference of QueryString and POST, regarding my studies. – ivanleoncz Dec 03 '16 at 21:49
1

If your post try to reach the following URL

mypage.php?id=1

you will have the POST data but also GET data.

jsgoupil
  • 3,788
  • 3
  • 38
  • 53