tags:

views:

91

answers:

3
+4  Q: 

What Is Wrong With Using GET To Remove Content?

I know it goes against the REST architecture but, from a pragmatic viewpoint, what is wrong about using GET request method to remove data from a database?

Let's say I built an application that has an administration panel. In administration panel admins can remove items by accessing URIs like these:

/admin-panel/items-controller/remove-action/id/X

Where X is a primary key of an item to be deleted.

Are there any practical disadvantages to using this approach? Please educate me because I don't understand why POST should be used for this.

My main problem with using POST for removing data is that instead of a simple link (easy to style in CSS) you have to print a form with POST method next to each item and then style it to look like a button/link. Or am I completely misunderstanding?

+4  A: 

It's very easy, through history or bookmarks, to re-enter a GET request without realizing it. If the GET is destructive this can lead to unintentional data loss. You might be safe if your keys aren't repeated, i.e., the action might just fail, but why put your application and data at risk. Destructive actions should always use either POST or DELETE, preferably the latter -- although that usually requires that it be done via AJAX so you often end up supporting both.

Typically what I do is set up the form with button, as you note, but then I'll remove the button and replace it with a link and click handler to invoke the form submission via javascript. The delete is usually done via AJAX with the DELETE verb with the page contents being updated in the callback. This way the delete action works both on browsers with and without javascript enabled, but has enhanced functionality and styling when javascript is enabled (95%+ of the time).

tvanfosson  2010-03-06 15:17:14
+7  A: 

Example: you are logged in your admin panel with full privileges (able to delete). I'm a user with restricted privilege but with a knowledge about your architecture. So I can easily give you a link to some "trusted" page where I can put 

<img src="/admin-panel/items-controller/remove-action/id/X" width="1" height="1">

You load the page, item is deleted because image request is sent from your admin account.

Shein Alexey  2010-03-06 15:22:43
By the same token, you could disguise a form as a link (not difficult) and send it to me as well and the result would be the same, would it not? Or even simpler, why disguise the form? Just make it look like it does something else.
Richard Knop  2010-03-06 15:26:56
@Richard: no. With a form submit disguised as a link, you still have to *click* on it. With the code above, the data is deleted merely by viewing the page.
Michael Borgwardt  2010-03-06 15:29:40
This method will not prevent CSRF attack (seehttp://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet#Prevention_Measures_That_Do_NOT_Work)
Aleksey Otrubennikov  2010-06-29 13:32:06
+8  A: 

Three words: search engine spiders.

Or Browser plugins that prefetch links to speed up browsing. All kinds of software implicitly assumes that a GET request can be made freely without negative effects. It's not just REST, the HTTP standard itself (RFC 2616) says so:

In particular, the convention has been established that the GET and HEAD methods SHOULD NOT have the significance of taking an action other than retrieval. These methods ought to be considered "safe". This allows user agents to represent other methods, such as POST, PUT and DELETE, in a special way, so that the user is made aware of the fact that a possibly unsafe action is being requested.

Michael Borgwardt  2010-03-06 15:28:26
If a search spider has permission to delete content from your website, I think you have more to worry about than whether you use a GET request or not. ;)
Inspire  2010-03-06 15:34:03
@Inspire: tell that to the guy who set up the Google Search Appliance for your intranet and naturally gave it broad access rights...
Michael Borgwardt  2010-03-06 15:40:08
+1 - Reminds me of a post from the DailyWTF...
Justin Ethier  2010-03-06 15:41:56
@Justin: this one: http://thedailywtf.com/Articles/The_Spider_of_Doom.aspx
Michael Borgwardt  2010-03-06 15:46:14
@Michael Now that you've updated the post with more than just "Three words: search engine spiders" the information is a lot more valuable to the original poster. Your original post gave me the impression you simply meant that google can just come along and delete your site, which shouldn't be the case.
Inspire  2010-03-06 15:54:59
Even cheaper than a Google Search Appliance: one person in your company with `wget -r`.
Ken  2010-03-06 15:58:37
@Inspire: What about Wiki-like open collaboration sites? It's quite possible to have a site where deleting stuff intentionally does not require credentials.
Michael Borgwardt  2010-03-06 15:59:46
@Michael I'm not encouraging the use of GET to remove content and wouldn't use it to handle delete actions myself, but your original post solely mentioned search engine spiders without any explanation/examples and a _typical_ website exposes nothing to a search engine that would allow it to perform any delete actions regardless of which HTTP method is used. The scenarios you mentioned in your comments/updated post are perfectly valid and good examples of why GET shouldn't be used for delete actions and I would not have commented in the first place had you mentioned them previously.
Inspire  2010-03-06 22:34:58

related questions

Mocking WebResponse's from a WebRequest
What's the best way to learn server RESTful code?
JAX-RS Frameworks
SOAP or REST
Are REST request headers encrypted by SSL?
REST in Java
REST type API for non web based applications, Is It a good idea?
Getting started with REST
Plain text passwords in Ruby on Rails using Restful_Authentication
Where WCF and ADO.Net Data services stand?
REST how to handle query parameters when put to resource?
Any way to handle Put and Delete verbs in ASP.Net MVC?
How do you implement resource "edit" forms in a RESTful way?
Friendly URLs for ASP.NET
Possible to create REST web service with ASP.NET 2.0
Strange Rails Authentication Issue
How to respond to an alternate URI in a RESTful web service
Guide to choosing between REST vs SOAP services?
guid REST URL for ado.net dataservice call?
RESTful web services and HTTP verbs
Calling REST web services from a classic asp page
Best way to write a RESTful service "client" in .Net?
Best Practices for securing a REST API / web service
Document or RPC based web services
Modify Address Bar URL in AJAX App to Match Current State