tags:

views:

177

answers:

7

As far as I know what GET can do, the same can be achieved by POST. So why was GET required in first place while defining HTTP protocol. If GET is only for fetching the resource, people can still update resources by sending the parameters values in URL. Why this loophole? Or the guy who did the coding on server side to update the resource on GET request has written a bad code?

+3  A: 

Anytime you do a web search and you want to link someone to it, you can easily do it through:

http://www.google.com/search?q=lol

Can you imagine telling someone to do a POST request instead? A POST request isn't really bookmarkable like that, which is why GET is useful.

They simply have different purposes, as stated in other answers. GET is for GETing, POST is for POSTing.

meder
But I don't think bookmarking was the purpose when the GET was defined. Yes this is one benefit. But do we really need to define a new HTTP method for bookmarking alone.
Sanjeev Kumar Dangi
Browser vendors could also implement bookmarks for POST requests.
Gumbo
+6  A: 

Practically, no browser implements POSTing by clicking links (without intercepting the click event in JavaScript), nor bookmarking POST data. Furthermore, semantically POST and GET serve different purposes. One is for POSTing data to an application, the other is for GETting data from the application. These semantics have practical implications, but they also have theoretical design implications that speak to the quality of your application's design: an application that doesn't handle GET differently from POST probably has a great deal of security problems and workflow bugs.

eyelidlessness
Thanks eyelidlessness. Great comment. But, I have seen many servlets where get and post are handled same way. Is that bad coding?
Sanjeev Kumar Dangi
@Sanjeev, it's not inherently bad but it's a clue that something may be wrong. A well-designed application will usually more strongly scrutinize POST data than GET queries; a GET request should sanitize input for db access and redisplay, and deny requests outside the user's permissions; a POST request should do those things, too, but a wider range of permissions may apply, and may perform other validation and sanitization on input before storage. By treating GET and POST semantically differently, developers have more explicit control over the security and stability of their applications.
eyelidlessness
Everything is clear now. Thanks.
Sanjeev Kumar Dangi
+1  A: 

Lets say I want to send a variable to a page via a link, can I do that with POST? Nope, but with GET, I can send something over by doing ?variableName=someValue

Glenn Nelson
What is harm in sending variable via POST body?
Sanjeev Kumar Dangi
What I am saying is, you cannot send a particular value via POST with a simple `<a href="url.com/?value=this">Link</a>`
Glenn Nelson
You mean to say that I have to use form and submit button in POST. Simplicity of GET scores over POST while sending the parameters. Agreed. But motive of my question is different.
Sanjeev Kumar Dangi
Well you are implying that the creators of GET were flawed in their design. I think quite the opposite; They saw the opportunity and usefulness of allowing GET data to be sent via a URL.
Glenn Nelson
+1  A: 

Everything can also be achieved using raw TCP connections. Yet we often use HTTP rather than raw TCP connections because HTTP offers a layer of abstraction and, therefore, convenience and conforming implementations. Likewise, we use HTTP correctly (GETs, POSTs, PUTs, DELETEs, etc) rather than dumbly (POSTs only) because these verbs offer an additional layer of abstraction and, therefore, convenience and conforming implementations.

Justice
Justice, this helps. Cheers!
Sanjeev Kumar Dangi
+12  A: 

HTTP specified different methods for different purposes. The GET method is intended to be used to “retrieve whatever information (in the form of an entity) is identified by the Request-URI”. Especially, it is intended to be a safe and idempotent method. That means a GET request should not have side effects (i.e. changing data):

In particular, the convention has been established that the GET and HEAD methods SHOULD NOT have the significance of taking an action other than retrieval.

And sending an identical request multiple times results in the same as sending it just once:

Methods can also have the property of "idempotence" in that (aside from error or expiration issues) the side-effects of N > 0 identical requests is the same as for a single request. The methods GET, HEAD, PUT and DELETE share this property.

Gumbo
"Especially, it is intended to be a safe and idempotent method." What if I write - "it is a safe and idempotent method"? Isn't "intended" is ambiguous? It defines a rule but says it is no more a rule.
Sanjeev Kumar Dangi
@Sanjeev, GET isn't safe and idempotent by virtue of GET. It's safe by virtue of programming for it to be safe and idempotent. It's not a rule, it's a semantic purpose. There is nothing, other than good programming, preventing a developer from developing an application that destroys and overwrites data on GET requests.
eyelidlessness
Understood now. Thanks.
Sanjeev Kumar Dangi
+2  A: 

From RFC 2616:

9.3 GET

The GET method means retrieve whatever information (in the form of an entity) is identified by the Request-URI. If the Request-URI refers to a data-producing process, it is the produced data which shall be returned as the entity in the response and not the source text of the process, unless that text happens to be the output of the process.

The semantics of the GET method change to a "conditional GET" if the request message includes an If-Modified-Since, If-Unmodified-Since, If-Match, If-None-Match, or If-Range header field. A conditional GET method requests that the entity be transferred only under the circumstances described by the conditional header field(s). The conditional GET method is intended to reduce unnecessary network usage by allowing cached entities to be refreshed without requiring multiple requests or transferring data already held by the client.

The semantics of the GET method change to a "partial GET" if the request message includes a Range header field. A partial GET requests that only part of the entity be transferred, as described in section 14.35. The partial GET method is intended to reduce unnecessary network usage by allowing partially-retrieved entities to be completed without transferring data already held by the client.

The response to a GET request is cacheable if and only if it meets the requirements for HTTP caching described in section 13.

See section 15.1.3 for security considerations when used for forms.

9.5 POST

The POST method is used to request that the origin server accept the entity enclosed in the request as a new subordinate of the resource identified by the Request-URI in the Request-Line. POST is designed to allow a uniform method to cover the following functions:

  - Annotation of existing resources;
  - Posting a message to a bulletin board, newsgroup, mailing

list, or similar group of articles; - Providing a block of data, such as the result of submitting a form, to a data-handling process; - Extending a database through an append operation. The actual function performed by the POST method is determined by the server and is usually dependent on the Request-URI. The posted entity is subordinate to that URI in the same way that a file is subordinate to a directory containing it, a news article is subordinate to a newsgroup to which it is posted, or a record is subordinate to a database.

The action performed by the POST method might not result in a resource that can be identified by a URI. In this case, either 200 (OK) or 204 (No Content) is the appropriate response status, depending on whether or not the response includes an entity that describes the result.

If a resource has been created on the origin server, the response SHOULD be 201 (Created) and contain an entity which describes the status of the request and refers to the new resource, and a Location header (see section 14.30).

Responses to this method are not cacheable, unless the response includes appropriate Cache-Control or Expires header fields. However, the 303 (See Other) response can be used to direct the user agent to retrieve a cacheable resource.

POST requests MUST obey the message transmission requirements set out in section 8.2.

See section 15.1.3 for security considerations.

As stated, the response may change with GET if the request message has conditionals based on certain criteria. The POST requires that the server accept the request, no matter what.

Andrew Sledge
+1  A: 

You're right, everything can be tunnel through an HTTP POST. In fact, SOAP web services do exactly that. Everything is a POST using SOAP web services.

In that case, you are tunneling through HTTP, and not using HTTP to its fullest. If that's all you want to do, then that's fine.

However, if you wish to leverage HTTP for the features and benefits that it provides beyond simple message transport, then you should read the RFC and learn the rest of the HTTP protocol including GET, PUT, POST, DELETE, and all of the headers, cache management and result codes.

Will Hartung
Thanks Will. Will dive again in HTTP :)
Sanjeev Kumar Dangi