On Jul 15, 2009, at 11:10 AM, Chris Burgess wrote:
> > Yesterday I noticed that one of my customer's DNS control panels had > GET links which would allow deletion of a DNS entry. > > Link prefetching and tools like Google Web Accelerator (where did that > go?) caused a bunch of fuss in 2005 or so when they would tap every > GET URL onscreen to "speed up" your web experience. Around that time, > most folks who didn't already know why GET should be safe learned > pretty fast. > > Seeing the same mistake today got me thinking, because I know why GET > URIs should be safe (not change data, OK to fire repeatedly, > idempotent if you like long words) and any request which does make a > change in the backend system should be POST (or perhaps another > request type which is not defined as safe). > > http://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol#Safe_methods > > But we still see a lot of cases where the vote up / down links and > other not-so-critical in web apps are GET. It's just easier, right? > Even though it's not The Right Thing to do, it gets done sometimes. > > Where do you draw the line? What's the best example you've seen of > where a GET request not being safe bit back? best example is php session id , when you turned cookie off. > > Mine: A customer, about to relocate hosting, decided to copy the data > in their admin interface out using a web scraper. The admin interface, > written in 1999 or so, used GET to delete records. The scraper did > just that in a matter of minutes. > > > > --~--~---------~--~----~------------~-------~--~----~ NZ PHP Users Group: http://groups.google.com/group/nzphpug To post, send email to [email protected] To unsubscribe, send email to [email protected] -~----------~----~----~----~------~----~------~--~---
