At 4/7/2007 03:10 AM, Stut wrote:
The difference between get and post is not what you *can* do, it's
what you *should* do.
Get, as the name implies, should be used when retrieving a page. The
URL, including the query string, should contain info needed to
retrieve the right page. No significant changes to either session or
persistant data should be made in response to a get request.
Post is used to send data to the server, and should be used when
modifying something. That something could be 'the logged in user'
(in the case of a login form), or 'a blog entry' (in the case of a
blog entry editor form).
Put more simply, get requests should not make significant changes to
the data or state of your website, always use post requests for that.
These implied "rules" have existed since HTTP was invented, and when
you think about it they make a lot of sense. They also get
emphasized by the existance of so-called web accelerators that
simply pre-fetch URLs on the page the user is viewing. If you have
simple links (i.e. get requests) that make changes to your websites
data or state, the accelerator will seriously screw it up.
Of course, in today's web, making a page request often modifies data
on the server -- consider breadcrumb managers, search engine
databases, Google analytics, web stats, page counters,
page-generation processes, etc.
And then there are the ubiquitous spiders (both friendly and
unfriendly) that walk our sites all the time, exploring all the links.
And spiders don't restrict themselves to following hyperlinks --
consider the spam robots that activate contact forms and forum engines.
The moral of the story is: don't put get links OR post actions on
your pages that result in automatic modification of significant data
without thoughtful validation of incoming data. As always.
Regards,
Paul
__________________________
Paul Novitski
Juniper Webcraft Ltd.
http://juniperwebcraft.com
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
