What is the "?" symbol in URL used for in php?

Question

I am new to PHP. In the path of learning PHP language, I notice that, some website would this kind of URL:

www.website.com/profile.php?user=roa3&...

My questions:

1. What is the "?" symbol used for?

2. If I were develop a php website, must I use it in my URL? For example, after a user(roa3) successful logged in, I will redirect to "www.website.com/profile.php?user=roa3" instead of "www.website.com/profile.php"

3. What are the advantages and disadvantages of using it?

Answer 1

The "?" signifies that some GET variables are to follow. You example uses a variable called "user", and assigns a variable called "roa3".

Advantages of using GET variables:

• they can be bookmarked as part of the URL

Disadvantages

• they are public.. Anyone can intercept and see this information. These url requests are even cached by servers along the journey. So anyone can impersonate your roa3 user just by typing that information in by hand... also they could change the roa3 to a different user and impersonate them..

You can also use a "&" symbol to separate many variables e.g.: www.website.com/profile.php?user=roa3&fav_colour=blue

Other options:

• POST variables

  • You can send your variables via the POST variables. These variables are passed in the header of the request, not the url of the request. they are not immediately obvious, and are not cached by servers along teh journey, but they can still be read. unless you have a HTTPS conection established.
  • variables in a form can be sent by POST or GET methods.. You specify this in the "method" of the form. <form action="index.php" method='post'/>

• SESSION variables

  • Session variables are stored on the server. A session id is passed to the user, and this session id is passed back to the server every time the user makes another request. This session id can then be used to get the session variables that were stored. So you could store a user's favorite colour, their name, and ip address etc.. but you could store it on teh server rather than the user's home PC.
    Session ids can be impersonated, so it is good to check against the user's IP, and or to wrap them in a secure conection. eg https.
  • session variables can't be changed by someone who intercepted the request.

• COOKIE variable:
  Similar to the session variables, except that they are stored on the user's PC, not the server. They are stored against a domain, and when they go to that domain, they resubmit the variables in the header of the request to the server.. this means that the user could change and hack the variables, or someone else could.

To access these variables in php you can use:

• $x = $_GET['user'] for a get variable
• $x = $_POST['user]
• $x = $_REQUEST['user'] - the combination of get, post and cookie variables
• $x = $_COOKIE['user'] - cookie variables
• $x = $_SESSION['user'] to access the session variables

(user could be replaced with the name of the variable you are using)

Simple enough stuff, but important to know what they actually do.

Answer 2

? is part of the HTTP standard and not part of PHP. Thought I should point that out so when you move on to another language and see it again you are not confused thinking there is PHP involved.

Otherwise there are some excellent answers above.

Answer 3

Most of the answers I've seen so far have been in terms of PHP, when in reality this isn't language specific. The answers given so far have been from the view of PHP and the methods you would use to access the information differ from one language to the next, but the format in which the data is in the URL (known as the Query String) will remain the same (Ex: page.ext?key1=value&key2=value&...).

I don't know your technical background or knowledge, so please forgive me...

There are two different methods for a web page to provide data back to the web server. These are known as the POST or GET methods. There also also a bunch of others, but none of those should be used in any sort of web design when dealing with a normal user. The POST method is sent invisibly to the server and is meant for 'uploading' data, while the GET method is visible to the user as the Query String in the URL and is only meant to literally 'get' information.

Not all sites follow this rule of thumb, but there can be reasons as to why. For example, a site could use POST exclusively to get around caching by proxy servers or your browser, or because they use double byte languages and can cause issues when trying to perform a GET because of the encoding conversion.

Some resources about the two methods and when to use them...

http://www.cs.tut.fi/~jkorpela/forms/methods.html http://weblogs.asp.net/mschwarz/archive/2006/12/04/post-vs-get.aspx http://en.wikipedia.org/wiki/Query_string

Now from a strictly PHP position, there are now 3 different arrays you can use to get the information a webpage has sent back to the server. You have to your disposal...

• $_POST['keyname'], to grab only the information from a POST method
• $_GET['keyname'], to grab only the information from a GET method
• $_REQUEST['keyname'], to allow you to grab the POST, GET, and any COOKIE information that might have been submitted. Sort of a catchall, especially in cases where you don't know which method a page might be using to submit data.

Don't get sloppy by going directly with the $_REQUEST method. Unless you have a case like I mentioned above for the $_REQUEST variable, then don't use it. You want to try and use a 'deny all, and only allow x,y,z' approach when it comes to security. Only look for the data that you know your own site will be sending, only look for the combinations that you'll be expecting, and cleanse all of the information before you use it. For example..

• Never do an eval() on anything passed via the above methods. I've never seen this done, but it doesn't mean people haven't tried or do.
• Never use the information directly with databases without cleaning them (research into SQL injection attacks if you're not familiar with them)

This is by far not the end-all, be-all to PHP security, but we're not here for that. If you want to know more along line, well then thats another question for SO.

Hope this helps and feel free to ask any questions.

Answer 4

Good questions, briefly,

1. "?" stands for the start of querying string which contains the data to be passed to the server. in this case you are passing user=roa3 to profile.php page. You can get the data by using $_GET['user'] within profile.php. querystring is one of the methods to send data to the server from client agent. The other one places the data in HTTP body and POST to the server, you don't see the HTTP POST　data directly from browser.

2. querystring can be edited by user and it is visible to the public. If www.website.com/profile.php?user=roa3 is intended to be public then it is fine, otherwise you may want to use session to get current user's context.

3. it is a flexible way to pass data to the server, but it is visible and editable to the users, for some sensitive data, at least produce some kind of hash before attaching it to the querystring, this prevents users to edit it or understanding the meaning of it. However this doesn't prevent a decent hacker to do something wrong about your website. Different browsers support different max length of URL, the lengthy URL is made up by those querystring parameters. If you want to send large amount of data, place the data in the HTTP body and POST to the server.

Answer 5

1) If a user logs in to your site, you would use Sessions to store there username instead of passing it in the url e.g profile.php?username=roa3

2) Using a ? symbol in the urls is generally considered bad for Search Engine Optimization. Also, the urls look a bit ugly. Using mod_rewrite you can do the same thing as profile.php?user=roa3 or products.php?id=123&category=toys with: site.com/profile/roa3 or products/toys/123.

Using the CodeIgniter framework will give you friendly URLs by default and eliminate the need for ?s in your urls. See this page for an example.

3) The ? symbol is also used inside the code of a php page. For example, an if else block such as:

if ($x==1)
   $y=2;
else
   $y=3;

can also be written as:

$y=($x==1) ? 2 : 3;

Answer 6

1. "?" is used to separate the URL and the parameters. For e.g, it is like http://www.url.com/resourcepath?a=b&c=d. In this case a=b is like request_parameter=request_value.

2. Ya, Its not advisable to use much of the parameters because the total url size is limited and it is like GET request, where all the parameters are shown on the url and the user can modify it. In your example, say what if a user modify the url to "user=techmaddy'.

3. Advantage is it can be used for the GET kind of requests. Disadvantage is low security, limitation in size.

Answer 7

From the server's point of view, the ? is just another character. PHP provides easy methods for parts of the URL after the ? character, e.g. for "/profile.php?user=roa3", PHP will set $_GET['user'] = 'roa3'.

The reason ? is useful in URLs is that browsers can construct dynamic URLs using forms -- in the case above, I would expect that the URL was built by an HTTP form with a field "user", into which the human user has typed "roa3".