Yesterday I noticed that one of my customer's DNS control panels had GET links which would allow deletion of a DNS entry.
Link prefetching and tools like Google Web Accelerator (where did that go?) caused a bunch of fuss in 2005 or so when they would tap every GET URL onscreen to "speed up" your web experience. Around that time, most folks who didn't already know why GET should be safe learned pretty fast. Seeing the same mistake today got me thinking, because I know why GET URIs should be safe (not change data, OK to fire repeatedly, idempotent if you like long words) and any request which does make a change in the backend system should be POST (or perhaps another request type which is not defined as safe). http://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol#Safe_methods But we still see a lot of cases where the vote up / down links and other not-so-critical in web apps are GET. It's just easier, right? Even though it's not The Right Thing to do, it gets done sometimes. Where do you draw the line? What's the best example you've seen of where a GET request not being safe bit back? Mine: A customer, about to relocate hosting, decided to copy the data in their admin interface out using a web scraper. The admin interface, written in 1999 or so, used GET to delete records. The scraper did just that in a matter of minutes. --~--~---------~--~----~------------~-------~--~----~ NZ PHP Users Group: http://groups.google.com/group/nzphpug To post, send email to [email protected] To unsubscribe, send email to [email protected] -~----------~----~----~----~------~----~------~--~---
