Do HTTP POST methods send data as a QueryString?
The best way to visualize this is to use a packet analyzer like Wireshark and follow the TCP stream. HTTP simply uses TCP to send a stream of data starting with a few lines of HTTP headers. Often this data is easy to read because it consists of HTML, CSS, or XML, but it can be any type of data that gets transfered over the internet (Executables, Images, Video, etc).
For a GET request, your computer requests a specific URL and the web server usually responds with a 200 status code and the the content of the webpage is sent directly after the HTTP response headers. This content is the same content you would see if you viewed the source of the webpage in your browser. The query string you mentioned is just part of the URL and gets included in the HTTP GET request header that your computer sends to the web server. Below is an example of an HTTP GET request to http://accel91.citrix.com:8000/OA_HTML/OALogout.jsp?menu=Y, followed by a 302 redirect response from the server. Some of the HTTP Headers are wrapped due to the size of the viewing window (these really only take one line each), and the 302 redirect includes a simple HTML webpage with a link to the redirected webpage (Most browsers will automatically redirect any 302 response to the URL listed in the Location header instead of displaying the HTML response):
For a POST request, you may still have a query string, but this is uncommon and does not have anything to do with the data that you are POSTing. Instead, the data is included directly after the HTTP headers that your browser sends to the server, similar to the 200 response that the web server uses to respond to a GET request. In the case of POSTing a simple web form this data is encoded using the same URL encoding that a query string uses, but if you are using a SOAP web service it could also be encoded using a multi-part MIME format and XML data.
For example here is what an HTTP POST to an XML based SOAP web service located at http://192.168.24.23:8090/msh looks like in Wireshark Follow TCP Stream:
HTTP POST with URL query parameters -- good idea or not?
If your action is not idempotent, then you MUST use POST
. If you don't, you're just asking for trouble down the line. GET
, PUT
and DELETE
methods are required to be idempotent. Imagine what would happen in your application if the client was pre-fetching every possible GET
request for your service – if this would cause side effects visible to the client, then something's wrong.
I agree that sending a POST
with a query string but without a body seems odd, but I think it can be appropriate in some situations.
Think of the query part of a URL as a command to the resource to limit the scope of the current request. Typically, query strings are used to sort or filter a GET
request (like ?page=1&sort=title
) but I suppose it makes sense on a POST
to also limit the scope (perhaps like ?action=delete&id=5
).
Is it valid to combine a form POST with a query string?
Is it valid according HTTP specifications ?
Yes.
Here is the general syntax of URL as defined in those specs
http_URL = "http:" "//" host [ ":" port ] [ abs_path [ "?" query ]]
There is no additional constraints on the form of the http_URL. In particular, the http method (i.e. POST,GET,PUT,HEAD,...) used don't add any restriction on the http URL format.
When using the GET method : the server can consider that the request body is empty.
When using the POST method : the server must handle the request body.
Is it a good idea ?
It depends what you need to do. I suggest you this link explaining the ideas behind GET and POST.
I can think that in some situation it can be handy to always have some parameters like the user language in the query part of the url.
Is using a query string in POST request a bad practice?
There's nothing wrong with using query parameters in a URL in a POST request, with or without a request body. If it makes semantic sense for your request, it's fine. The POST method in itself has a semantic meaning distinct from GET, it doesn't require a request body to be useful, and the URL is yet distinct from that again. A classic example might be:
POST /foo/bar?token=83q2fn2093c8jm203
I.e., passing some sort of token through the URL.
There's no general security problem here, since anyone who could intercept this POST request to read the URL could also read its body data; you'll hardly find an attacker in a position that allows them to read the URL but not the body. However, URLs are typically logged in server access logs and browser histories, while request bodies aren't; that may or may not be worth considering, depending on what information you're transporting in those parameters and who has access to those logs.
How are parameters sent in an HTTP POST request?
The values are sent in the request body, in the format that the content type specifies.
Usually the content type is application/x-www-form-urlencoded
, so the request body uses the same format as the query string:
parameter=value&also=another
When you use a file upload in the form, you use the multipart/form-data
encoding instead, which has a different format. It's more complicated, but you usually don't need to care what it looks like, so I won't show an example, but it can be good to know that it exists.
Is it okay to use HTTP POST method with a query string, if a query string is used to find the resources that need to be updated?
Is it okay to use HTTP POST method with a query string, if a query string is used to find the resources that need to be updated?
Yes.
Am I making wrong assumptions here?
No.
The key ideas being that you, as the author of the resource, get to choose its identifier
REST relies instead on the author choosing a resource identifier that best fits the nature of the concept being identified. -- Fielding, 2000
the query is part of the resource identifier
The query component contains non-hierarchical data that, along with data in the path component (Section 3.3), serves to identify a resource within the scope of the URI's scheme and naming authority -- RFC 3986
and that the semantics of HTTP methods are standardized across all resources
Once defined, a standardized method ought to have the same semantics when applied to any resource, though each resource determines for itself whether those semantics are implemented or allowed. -- RFC 7231
In Go's http package, how do I get the query string on a POST request?
A QueryString is, by definition, in the URL. You can access the URL of the request using req.URL
(doc). The URL object has a Query()
method (doc) that returns a Values
type, which is simply a map[string][]string
of the QueryString parameters.
If what you're looking for is the POST data as submitted by an HTML form, then this is (usually) a key-value pair in the request body. You're correct in your answer that you can call ParseForm()
and then use req.Form
field to get the map of key-value pairs, but you can also call FormValue(key)
to get the value of a specific key. This calls ParseForm()
if required, and gets values regardless of how they were sent (i.e. in query string or in the request body).
Related Topics
What Is the ::Content/::Slotted Pseudo-Element and How Does It Work
How to Override Inline !Important
How to View an HTML File in the Browser with Visual Studio Code
Convert a SQL Query Result Table to an HTML Table for Email
How to Choose Between Get and Post Methods in HTML Forms
Fallback for CSS Attributes Without Unit
Disable Spell-Checking on HTML Textfields
How to Validate the Size and Type of Input=File in HTML5
Including External HTML File to Another HTML File
Easiest Way to Extract the Urls from an HTML Page Using Sed or Awk Only
Why Does Overflow Hidden Stop Floating Elements Escaping Their Container
What Replaces Cellpadding, Cellspacing, Valign, and Align in HTML5 Tables
Do Http Post Methods Send Data as a Querystring
How to Show Local Picture in Web Page
Export HTML Table to Excel Using ASP.NET
How to Export Rmarkdown File to HTML Document with Two Columns
Html5 Video Element Request Stay Pending Forever (On Chrome)