Hello, I've collected some data and created a db. I am putting together a website allowing users to search the db with a search-query functionality. I am pretty much building a google-like engine, although the data is stored in a MySQL.
If I use a GET form in the search page (which is what most engines do), then the query results are displayed in pages where the URL contains the query_string (example, www.blahblah.com/search.php?queryitem1=my1&queryitem2=my2+my3). So far so good, but in my case the data is of a local nature (say, a yellow page type of thing with some extras) and someone can basically pick the entire database by running a script like: wget www.blahblah.com/search.php?zip=00001 wget www.blahblah.com/search.php?zip=00002 .......... wget www.blahblah.com/search.php?zip=99999 This is something I would like to prevent. Could someone please offer their opinion on: 1. how to best go about it with a GET form? 2. Is it indeed doable with a POST form in the search page (as opposed to a GET form)? 3. I've read that the main advantage of a GET vs POST form is that someone can bookmark a search results page (eg. www.blahblah.com/search.php?zip=12356) if it the form is GET. Any other advantages/disadvantages that i am missing? Looking forward to everyone's input! Thank you in advance, Costas
