What is the "?" symbol in URL used for in php?

I am new to PHP. In the path of learning PHP language, I notice that, some website would this kind of URL:

www.website.com/profile.php?user=roa3&...

My questions:

  1. What is the "?" symbol used for?

  2. If I were develop a php website, must I use it in my URL? For example, after a user(roa3) successful logged in, I will redirect to "www.website.com/profile.php?user=roa3" instead of "www.website.com/profile.php"

  3. What are the advantages and disadvantages of using it?


Good questions, briefly,

  1. "?" stands for the start of querying string which contains the data to be passed to the server. in this case you are passing user=roa3 to profile.php page. You can get the data by using $_GET['user'] within profile.php. querystring is one of the methods to send data to the server from client agent. The other one places the data in HTTP body and POST to the server, you don't see the HTTP POST data directly from browser.

  2. querystring can be edited by user and it is visible to the public. If www.website.com/profile.php?user=roa3 is intended to be public then it is fine, otherwise you may want to use session to get current user's context.

  3. it is a flexible way to pass data to the server, but it is visible and editable to the users, for some sensitive data, at least produce some kind of hash before attaching it to the querystring, this prevents users to edit it or understanding the meaning of it. However this doesn't prevent a decent hacker to do something wrong about your website. Different browsers support different max length of URL, the lengthy URL is made up by those querystring parameters. If you want to send large amount of data, place the data in the HTTP body and POST to the server.


Most of the answers I've seen so far have been in terms of PHP, when in reality this isn't language specific. The answers given so far have been from the view of PHP and the methods you would use to access the information differ from one language to the next, but the format in which the data is in the URL (known as the Query String) will remain the same (Ex: page.ext?key1=value&key2=value&...).

I don't know your technical background or knowledge, so please forgive me...

There are two different methods for a web page to provide data back to the web server. These are known as the POST or GET methods. There also also a bunch of others, but none of those should be used in any sort of web design when dealing with a normal user. The POST method is sent invisibly to the server and is meant for 'uploading' data, while the GET method is visible to the user as the Query String in the URL and is only meant to literally 'get' information.

Not all sites follow this rule of thumb, but there can be reasons as to why. For example, a site could use POST exclusively to get around caching by proxy servers or your browser, or because they use double byte languages and can cause issues when trying to perform a GET because of the encoding conversion.

Some resources about the two methods and when to use them...

http://www.cs.tut.fi/~jkorpela/forms/methods.html http://weblogs.asp.net/mschwarz/archive/2006/12/04/post-vs-get.aspx http://en.wikipedia.org/wiki/Query_string

Now from a strictly PHP position, there are now 3 different arrays you can use to get the information a webpage has sent back to the server. You have to your disposal...

  • $_POST['keyname'], to grab only the information from a POST method
  • $_GET['keyname'], to grab only the information from a GET method
  • $_REQUEST['keyname'], to allow you to grab the POST, GET, and any COOKIE information that might have been submitted. Sort of a catchall, especially in cases where you don't know which method a page might be using to submit data.

Don't get sloppy by going directly with the $_REQUEST method. Unless you have a case like I mentioned above for the $_REQUEST variable, then don't use it. You want to try and use a 'deny all, and only allow x,y,z' approach when it comes to security. Only look for the data that you know your own site will be sending, only look for the combinations that you'll be expecting, and cleanse all of the information before you use it. For example..

  • Never do an eval() on anything passed via the above methods. I've never seen this done, but it doesn't mean people haven't tried or do.
  • Never use the information directly with databases without cleaning them (research into SQL injection attacks if you're not familiar with them)

This is by far not the end-all, be-all to PHP security, but we're not here for that. If you want to know more along line, well then thats another question for SO.

Hope this helps and feel free to ask any questions.