tags:

views:

86

answers:

6

I am (just for fun) trying to implement a High Score web-service. I would like it be compatible with REST principles. I want to be able to add a new highscore using url parameters like this http://mydomain.com/hs/add&name=John&score=987. According to REST this must be done using a POST request. Which leads to empty POST request with all data contained in the URL parameters. Would this be considered a bad practice?

Update
Security is currently not a big concern.

A: 

Very bad..the user can manipulate the score. You should apply some sort of encryption, even if it's simple, before submitting the score through the querystring

Ed B
Using a true POST would only make it marginally more difficult. The real solution may be a kind of encryption, but that's not what the user is asking.
MvanGeest
Even with POST values, it is easy to manipulate that data..
poke
+10  A: 

The common way to do it would be to send a POST to http://mydomain.com/hs/add with the content:

name=John&score=987 (for simple urlencoded data, would be different for e.g. multipart encoded data; the format of the POST request body is arbitrary and outside of the scope of REST recommendations – it could even be arbitrary encrypted data, as others have suggested).

A GET request for adding a new highscore would not only be a violation of REST principles, but also a violation of RFC 2616, which requires GET requests to be idempotent.

EDIT

Is it bad practice to pass data in the query string and post an empty body?

Yes. The URL should describe the resource that's being subjected to the action described by the HTTP method. Hence, probably the best option would be to have http://mydomain.com/hs as an URL and let the body completely describe the action.

The query string could possibly be used to further qualify requests without a body, e.g.:

http://mydomain.com/hs?period=lastmonth (GET)

Artefacto
I'm not sure how this answers the question. If I'm reading it correct, the question was: Is it bad practice to pass data in the query string and post an empty body?
Darrel Miller
OK, I'll edit the answer to address that.
Artefacto
Thanks for the detailed and helpful answer (especially the edit).
StackedCrooked
A: 

GET should be utilized when obtaining data. When adding or manipulating data, you should always use POST.

That way a user won't:

  • Accidentally go to the url again and render all of your data dirty
  • Purposefully alter your database
Kenneth Reitz
+1  A: 

You use a question mark before the parameters, so it would be: http://mydomain.com/hs/add?name=John&score=987. However, the idea is that the URL should be the name of the resource, and the request method should decide what to do.

So, the correct URL would be just http://mydomain.com/hs, and you would send the parameters in the POST data instead. As it's a POST request, it will add data to the resource.

Guffa
Why the downvote? If you don't explain what it is that you don't like, it can't improve the answer.
Guffa
A: 

Use POST request to prevent following situation:

  • User logs-in
  • Web browser saves authentication information between session
  • User receives for example an email with HTML contains tag like < img src='http://mydomain.com/hs/add?name=John&amp;score=987' ... />
  • Mail client tries to download the image, automatically uses credentials stored in web browser, and adds or deletes information from/to your system silently.
STO
+1  A: 

No, using url parameters in a POST is not bad practice as far as REST is concerned. This seems to be a perfectly valid approach to me.

From a aesthetics perspective I would suggest an url such as

 POST http://mydomain.com/highscores?name=John&amp;score=987
Darrel Miller