POST, GET and State Changes
I figured I would post about this one, as it is something that I have picked up along the path of learning more about developing websites. I'll be the first to admit that in the past I have broken this rule thousands of times, but at least now I keep an eye out for it, and try to adhere to it. The rule that I speak of is that any request to a server that actuates a state changes should be sent using a POST request. Surprisingly, that sentence is much more complicated than the idea that it conveys. There's a lot of that going around on the Internet.
First of all, a GET request is a way of sending variables to a server via the URL string. An example would be a dynamic URL such as:
www.example.com/showuser.php?userid=2319
Where you can see that the user id is passed to the server. This information is visible to anyone that views the page, as opposed to a POST request, which is the method by which most web forms are submitted. POST requests are usually associated with forms, but by using JavaScript and other methods normal links can be coaxed into posting data. There are also other types like DELETE, but I won't go into those.
What do we mean by state change? I find an example is easier to understand, so let's pretend that you have a website interface that let's you manage users. While viewing a list of users, you have the option to edit them and delete them. If you delete a user, you are changing the state of the server, since that user will now be deleted. You may click the "edit" option, which simply shows information about that user. In that request, nothing was changed on the server. Information was simply requested and delivered. However, once a change to that information is made (such as by changing a field and submitting that form) then the request to the server causes that change to be written to the database. Here, another state change has occurred, so that request should be wrapped in a POST request.
Take a common mistake from my past. In admin interfaces where the user has the option of deleting records, such as the users in our example, the "delete" link would call a script that would delete the record by passing that record ID in the URL. In other words, a GET request. While it seems harmless enough, theoretically someone could do some damage just by playing around with the URLs. Instead, the "delete" links should generate a POST request, mostly to avoid any potential security issues, but also because it is good form.
Generally, I try to wrap any request that will write something to the server or instruct the server to change a state in a POST request. Times where I am simply asking for information, such as grabbing rows from a database, I will use GET requests since there is no state change occurring. Since I started in this business as a designer, this is all pretty new to me. I've learned that it's important to train yourself to catch these little things as they come up, since it can be a pain to go back and rewrite an application later on.
One last thing about GET requests is that they require dynamic URLs like the one above. While you are developing applications that utilize GET requests, try to clean up those URLs by eliminating the ? characters and using mod_rewrite to route your requets. It's much easier to keep track of this from the beginning of a project than it is to go back later. By doing this, the URL we showed above would be rewritten as:
www.example.com/show/2319
