Many of the different reasons that people have for choosing one or other of these access methods is completely wrong.

The most common wrong reason for choosing POST instead of GET is because some people mistakenly think it is more secure. Since the page headers where the POST data is passed can be easily edited using developer tools in just about any browser it is no more secure that using GET with the data displayed in the address bar. In both cases you need to validate the data fully in the code that receives it to ensure it hasn't been tampered with. That tampering with one is slightly less obvious as to how it can be done than the other is doesn't make anything more secure.

Some people choose POST over GET because they think that things look tidier if you don't have a querystring in the address bar.These people are also mistaken in the reason for their choice of method since you can easily use a mod_rewrite in the .htaccess file to convert the querystring to look like a regular address on any site running on Apache (or the equivalent option on other web servers) if it really worrys you that much.

The real reason that both GET and POST exist is that GET is intended to be used when you are retrieving data from the server where the request is not updating anything on the server and where if you make the same call again you expect the same result to be returned. The whole point of such a call is that it can be bookmarked easily so as to be able to repeat it at any time in the future and that the results of the call are cached by the browser so that if the same visitor runs the same request multiple times that they only download the data once and the subsequent calls simply grab the cached copy that was already downloaded.

POST is the one that is intended to be used when you are updating content on the server and where repeating the same request a second time is likely to return a completely different result from the prior call.When you do a POST request the results that are returned are not cached because if the same call is done again the results will be different and so the current copy of the returned data cannot be used in that instance. Also POST requests are deliberately designed so that you can't bookmark them in order to ensure that someone doesn't accidentally submit an update request by selecting a bookmark. For the same reason you can't generate a POST request using a link in HTML as if you could them each time a search engine spidered your page it would run all the update requests in the page.

Note that while generating a POST request in HTML is only possible by using a form, you can convert any GET requests associated with links in your web page into POST requests by using JavaScript that converts the href of the link into a form and then submits it without ever displaying the form in the page. Just because you can do that though doesn't mean that you should. Since the request would be a GET request for those without JavaScript and a POST request for those with JavaScript and the request itself is either an update request or a retrieval request, attaching the JavaScript to the link to do that will mean that the wrong method is being used a part of the time. Since you'd be unlikely to add the JavaScript to do the POST request if GET is actually the right alternative attaching such JavaScript to a link will mean that the wrong method is being used when JavaScript is disabled and the search engines will accidentally run updates whenever they spider the page. A more appropriate way of using this type of code would therefore be a form with all the fields hidden that has a visible submit button where the JavaScript hides the submit button and replaces it with a link that submits the form instead.


This article written by Stephen Chapman, Felgall Pty Ltd.

go to top

FaceBook Follow
Twitter Follow