POST /blog/ HTTP/1.1Host: carsonified.comname1=value1&name2=value2 GET vs POST BasicsIn between new additions to our vocabularies (think ““), sections, & of help us to conclude the first rule of GET vs POSTRule #1: Use GET for safe actions and POST for unsafe actions.The RFC instructs internet browsers to make users aware that, when reissuing a previously made POST request, that the action (e.g. Placing an order) is potentially unsafe. On said:That Iain Lamb quote is the first I’ve heard of that performance issue – very interesting. I’d like to know which browsers it affects.I don’t think it should affect the decision of whether to use GET or POST for the vast majority of cases. Ajax autocomplete is the most performance critical Ajax interaction, and that uses GET already. This might be a consideration for real-time collaboration applications (MobWrite / EtherPad etc) but for everything else I’d stick to the HTTP standard defined rules of which verb to use. On said:Take it easy!1.
Get Started on Your Application Step 3: Find a Post Office. Post Offices have set hours for passport services. Many require an appointment. Use the Find USPS Locations tool to find the nearest Post Office offering passport services. Go to Find USPS Locations. Select Passports from Location Types. Enter a ZIP Code™ or address. Select a mileage. PHP GET and POST. In this tutorial you will learn how to send information to the server using HTTP GET and POST methods and retrieve them using PHP. Methods of Sending Information to Server. A web browser communicates with the server typically using one of the two HTTP (Hypertext Transfer Protocol) methods — GET and POST.
My point assumes that SSL is already in use (i.e. A given) – check my comments above.Also, what exactly are “encrypted URIs” and how would you go about using them?2. My claim is based on research done by Iain Lamb, cofounder of the Oddpost webmail startup that was acquired by Yahoo! And eventually became the basis for the all-new Yahoo! Mail.His research showed “rather baffling finding: POST requests, made via the XMLHTTP object, send header and body data in separate tcp/ip packets and therefore, xmlhttp GET performs better when sending small amounts of data than an xmlhttp POST.”That is why Yahoo includes the use of GET instead of POST as one of their high performance speed optimisation rules. On said:Just a quick point that encrypting the URLs by itself isn’t necessarily secure, because a potential hacker has access to the same black box (the site) for encrypting the URLs as the victim. If you have the ability to create your own encypted string it becomes much easier to exploit any weaknesses in the algorithms.In reality, it’s always safter to stick with established methods of securing traffic such as SSL (or its successors) rather than trying to implement your own security layer.
Unless you’re a real security genius you’re likely to end up making things less secure. On said:Just a quick comment on the bullet point “GET requests can be hacked” — so may POST requests. In fact, there are extensions for Firefox that make doing so trivial and make converting from GET to POST and back automatic. Better yet, nothing about GET or POST itself protects any data transmission (both are clear text — encryption is another matter altogether), source verification (referring page, source IP, etc., are not factored by GET or POST).
Bottom line, security will not be hurt or enhanced by use of GET or POST.Another point, using POST doesn’t mean you’re not storing sensitive information. You can enable POST logging in Apache and other web servers. Besides, once the data is transmitted via GET or POST it’s probably used by some program and that is another point at which the data could be stored.
Securing data is a multi-faceted vigil than depends little on which HTTP protocol one uses.Want to discuss more? Email me: rjamestaylor @ gmail. On said:It is always important to remember that you cannot trust a user, meaning validate everything. No matter if that’s in a contact form or a CMS.Further more, if you’re building a clean url function for say a blog, then add an extra level of validation/security to your htaccess file. Such as a rule to only accept letters and numbers and dashes. Rules such as that will add additional protection before the incoming request reaches your script.Of course no amount of input sanitization can help you if your server is insecure, so why not invest in a good security package, and turn off all unused services and firewall ports. On said:@Simon #comment-13475(Unfortunately, nesting only goes 2 or 3 levels deep.)“How can you have an action that is idempotent but doesn’t modify state on the server?”Apologies, what i meant to say was, “if you could make the action safe”; something which you can do through validation.“Do you have any further information to back up your claim that GET is more responsive than POST?”Yes.
When using XMLHttpRequest, browsers implement POST as a two-step process, sending the headers first and then the data, whilst GET is just one.“The HTTP 1.1 RFC says “In particular, the convention has been established”These specifications must be implemented by browsers, servers etc. We, as developers, are simply using it for guidance on how things work, rather than pure instruction. We’re free to break such conventions if we see fit, and that does occasionally occur. RFC, for example, doesn’t take into consideration query lengths, usability or security. Sticking to it like glue, therefore, (IMHO) is not required as long as we understand it and its implications. Yaron on said:The discussion of idempotent/safe/validated misses a point (in favour of POST for all cases where you change something).
POST already provides an important service in making sure that you can send it accidentally by following a link or typing the URL. Remember the problems when some Google extension started to do extensive pre-fetching.All you need is to have a link pointing to your “delete whatever” action, and you’re losing control.You can, of course, send back a verify screen. But if the verify screen also uses GET, then any sort of bot/browser/extension/other-program can follow that one as well. So you have to use POST in the verification screen. And if you’re using POST anyway, why not use POST to begin with and spare everyone a verification screen that may not be needed?Again, GETs can happen in unplanned situations.
POSTs don’t happen by mistake, and don’t happen accidentally by otherwise well behaving software. It’s a mistake to allow your server to change state after a GET request, since you can never know that the GET request was genuine/intentional. On said:Another point I’d like to make is that I do agree with most/many of the comments here and that Michael’s guideline (which most follow) should keep developers safe most of the time.I think that a lot of confusion has arisen from Ryan chopping out the original intro to this article (which he justly did due to its length). My goal was to be most comprehensive and counter for the fact that rules without justified explanations do not stand with everybody (with me being one such person).To put things into context, I developed an application a few months back which simply returned the date-restricted results of a database.
Because the site had a rigid object-orientated form processor that was geared towards accepting POST, I went with the flow and used POST instead of GET. On said:Just to touch on the security point I took it as a given that all sensitive data would be passed over using SSL.My point was that, even if SSL was being used, passing sensitive data over GET would keep it exposed to other users of the browser.As angry as it makes me to see my credit card details show when hitting the down arrow on a previously filled credit card field, it would make me much angrier if the address bar’s auto-search would show my card details to someone typing in a URL in the address bar.
(Much like the time the address bar decided to show my wife a matrimonial site I was looking at for a potential client.). Ben on said:Just to reiterate what Simon Willison points out above. The Rule #2: Because query strings are transferred openly in GET requests, we have to consider our security and that of our users when dealing with sensitive data like passwords or credit card numbersis actually a misnomer. There is no difference in security between POST and GET.
The major difference in “security” is that POSTed data is not visible in a URL. Both are open to packet sniffing.
Posted variables can also be accessed through a browser like Firefox’s history (see my comment above).The only true way of protecting sensitive data is through SSL.More here. On said:I think it is helpful to take the method’s name literally. “POST” is for posting something to a webserver, data that should go (persistently) “into” the application (e.g.
Database or so). “GET” in contrast is a request for getting something “out” of the application while the data (parameters) given with the request is just “meta-information” to tell the server which data should be returned.If you follow this rule whenever possible, it’s very likely that you choose the correct HTTP method.Cheers,Michael. On said:Wait wait wait!
You can use query variables in the URI for POST requests too. The important thing to remember is that the URI is used to identify a resource while posted content is intended to be processed by the resource.Which means you can POST “first=Vincent&last=Robert” to “/users?country=FR”.
This is a way to say to the resource “list of users from France” to process (maybe add in this case) this user content.I think REST describes it right. GET is only about URIs, it is about getting the representation of a resource identified by a URI. Now some prefer pretty URIs but using query variables is perfectly legal in HTTP.POST is about processing. It is about sending content to a resource for processing. Again, this resource can have a URI using query variables. On said:As you mentioned, Fahed, replies can’t nest deeper than 3 levels, so I’m replying to myself ?As I mentioned in my first comment/reply “The query string is part of the URI and is NOT passed in the body as per the article.” I am referring to all HTTP Requests, irrespective of method (GET, POST, PUT, DELETE, or other). All HTTP Requests target a URI.
Per RFC 2396 (section 3), a URI is defined as:://?So all Requests have URIs and all URIs ‘may’ have querystrings, including POSTs. There is no difference between GET and POST as to how the querystring is handled. A POST request’s body is comprised of the name/value pairs of a serialized form element. In order to generate a POST request that contains a querystring separate from the body, create a form where the @action attribute is such: “handler.php?article=DefinitiveGuide”. If you were to inspect the body of this post request via Fiddler (or other) you’ll notice that the body does not contain an ‘article’ key (unless also specified as a form field).
This can lead to some interesting server-side code, especially if you have querystring keys colliding with form fields of the same name. PHP makes this even more confusing by naming its querystring autoglobal $GET which doesn’t neccisarily imply a GET request. Given my previous form example, $GET would contain a key for ‘article’ and $POST would contain the fields of the form. See this post on SitePoint regarding GET/POST with PHP in particular:I don’t disagree with any other point in your article.
I even agree with your security point in GET. As Robert Taylor said “Securing data is a multi-faceted vigil”. Simply preventing browser auto-complete of sensitive information is one (if minor) defense. But I digressMy only reason for posting is to illuminate yet another misconception regarding GET/POST and the ever lovely querystring.Feel free to email me or twitter (@jasonkarns) with further discussion. John on said:There is a limit to query string length with GET (varies by container, but I believe Apache is 2KB, for example), but there is no ‘parameter’ limit with with POST. The REST approach fails horribly in this regard, and instead the API should have been standardized around action words and all requests should have been of type POST.For example, standardized action prefixes such as “create”, “get”, “update”, “delete”:action=getAccountaction=updateAccountaction=deleteAccountaction=createAccount.