tags:

views:

91

answers:

5
+1  Q: 

Obeying the POST to modify data

So I've read you should use POST for anything that could modify data.

E.g.

BAD

<a href="edit.php?id=12">Edit</a>

GOOD

<form action="edit.php" action="post"><input type="hidden" name="id" value="12" /><button type="submit">Edit</button></form>

Now obviously the first once is more terse, but it would be considered the wrong way to do it.

Now usually the extra markup isn't too bad of a problem, but say I might be displaying this markup 20 times, or perhaps more. And then there is the question of 'should it have a fieldset and legend elements for the form'.

What is the general best practice for this? Or have I got this thing back to front?

+1  A: 

Generally when passing lots of data to the server to be processed or stored, using POST is a good idea, since GET has a lower limit than that of POST. POST also has the added benefit of being relatively hidden to the user, except during transmission if not encrypted.

If you're passing simple values like what you're passing above, however, then using GET isn't a problem (unless you like sleek URL's, that is..)

BraedenP  2009-11-05 06:24:56
A: 

having a link with an id is fine, if you ensure id are id (like numbers) and you proper escapement

what is wrong is to post some form as GET like it make long url the user can bookmark it and that a bad move.

something like that would be not good

<form>
 <input type="text" name="firstname"/>
 <input type="text" name="lastname"/>
 ...
</form>

Also has good form policy I advice you to take a look at the POST/Redirect/GET policy.

RageZ  2009-11-05 06:26:03
Oh yes I know about that policy. Thanks for your answer.
alex  2009-11-05 06:32:38
+3  A: 

It depends what visiting edit.php?id=12 does. Does it actually change something, or does it display another page that allows you to edit something?

If it's just displaying a page that allows you to edit something, then GET is fine. If it's actually changing something, then POST is the correct, semantic thing to do, and you have to deal with the fact that the markup is a bit bloated.

The practical problem with GET requests that modify data is that they might get followed by mistake - think bookmarks, back/forward buttons (many browsers display a warning if you try and re-submit a POST request this way), search engines following links etc.

Dominic Rodger  2009-11-05 06:28:32
+1  A: 

Ok, you got your reason to not use GET correct.

Let's take an example. Suppose you have a script which increments or decrements a counter based on a radio button submission.

Let's say:

www.example.com/index.php?var=inc causes increment and www.example.com/index.php?var=dec causes decrement.

The problem is that if a user accidently refreshes, forwards or bookmarks the URL to your script, your counter will go nuts!

This is the classic case when you should prefer POST.

The other case obviously is when you are submitting sensitive information like passwords etc.

Crimson  2009-11-05 06:31:20
+2  A: 

The best way I can summarize this is in two easy lists:

When POST is better than GET

  • Other than duplicate form submissions, users are much less likely to accidentally duplicate a POST request since you can't bookmark POST requests, and if you click the URL bar and press enter the POST request won't resend all the data
  • POST allows you to add files
  • The POST whenever there's a state change also allows for an easier semantic distinction when programming the backend
  • POST requests are easier to code since you don't have to serialize or escape user data POST requests done through forms are the norm, so it's much easier to tack on an AJAX plugin if you feel the urge in the future

When GET is better than POST

  • GET requests can be bookmarked. Things like search queries should always be GET requests.
  • If you decide to get uber-strict on page expiration (no-cache and the whole business), when users click back on their browser, pages generated with POST data will not resend the POST data to create the page, where as the GET request will remain the same as it was originally
  • GET requests make more "sense" to some users

Regarding your specific problem, I infer that you want to take the user to a page where they can edit some page with ID=12. If this is the case, the link to the edit page should be a simple HREF with GET (you might want to consider using .htaccess rewrite to prettify your URLs so it looks like edit/12 rather than edit.php?id=12). The edit page itself should be a form that sends POST data.

Steven Xu  2009-11-05 06:38:33

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases