When submitting a GET form, the query string is removed from the action URL

html forms http-get

Consider this form:

<form action="http://www.blabla.com?a=1&b=2" method="GET">
    <input type="hidden" name="c" value="3" /> 
</form>

When submitting this GET form, the parameters a and b are disappearing.
Is there a reason for that?
Is there a way of avoiding this behaviour?


Solution 1:

Isn't that what hidden parameters are for to start with...?

<form action="http://www.example.com" method="GET">
  <input type="hidden" name="a" value="1" /> 
  <input type="hidden" name="b" value="2" /> 
  <input type="hidden" name="c" value="3" /> 
  <input type="submit" /> 
</form>

I wouldn't count on any browser retaining any existing query string in the action URL.

As the specifications (RFC1866, page 46; HTML 4.x section 17.13.3) state:

If the method is "get" and the action is an HTTP URI, the user agent takes the value of action, appends a `?' to it, then appends the form data set, encoded using the "application/x-www-form-urlencoded" content type.

Maybe one could percent-encode the action-URL to embed the question mark and the parameters, and then cross one's fingers to hope all browsers would leave that URL as it (and validate that the server understands it too). But I'd never rely on that.

By the way: it's not different for non-hidden form fields. For POST the action URL could hold a query string though.

Solution 2:

In HTML5, this is per-spec behaviour.

See Association of controls and forms - Form submission algorithm.

Look at "4.10.22.3 Form submission algorithm", step 17. In the case of a GET form to an http/s URI with a query string:

Let destination be a new URL that is equal to the action except that its <query> component is replaced by query (adding a U+003F QUESTION MARK character (?) if appropriate).

So, your browser will trash the existing "?..." part of your URI and replace it with a new one based on your form.

In HTML 4.01, the spec produces invalid URIs - most browsers didn't actually do this though...

See Forms - Processing form data, step four - the URI will have a ? appended, even if it already contains one.

Solution 3:

What you can do is using a simple foreach on the table containing the GET information. For example in PHP :

foreach ($_GET as $key => $value) {
    $key = htmlspecialchars($key);
    $value = htmlspecialchars($value);
    echo "<input type='hidden' name='$key' value='$value'/>";
}

As the GET values are coming from the user, we should escape them before printing on screen.

Related

How to show google.com in an iframe?
Evaluating string "3*(4+2)" yield int 18 [duplicate]
"Submit is not a function" error in JavaScript
What is the proper declaration of main in C++?
Target class controller does not exist - Laravel 8
How do I tell git to always select my local version for conflicted merges on a specific file?
using jquery $.ajax to call a PHP function
Meaning of acronym SSO in the context of std::string
Efficient way to rotate a list in python
Creating object with dynamic keys [duplicate]
Extract a single (unsigned) integer from a string
Usage of the backtick character (`) in JavaScript