`
Hooopo
  • 浏览: 336070 次
  • 性别: Icon_minigender_1
  • 来自: 北京
社区版块
存档分类
最新评论

Get or Post?

阅读更多

Unfortunately there is a lot misuse of GET over POST and vice versa. Both HTTP methods can achieve the same goals, but an incorrect choice between them can lead to unexpected and potentially harmful outcomes.

So, to make sure we get things right, I present to you the definitive guide of choosing between GET and POST.

Editor’s Note: Mike McDerment of FreshBooks.com will be teaching a 1/2 day workshop on ‘How to Build a Web App from A-Z’ at The Future of Web Apps.

 

Note: Remember that query strings (i.e. name/value pairs) get transferred in the URL of GET requests:

GET /blog/?name1=value1&name2=value2 HTTP/1.1
Host: carsonified.com

and in the body of POST requests:

POST /blog/ HTTP/1.1
Host: carsonified.com
name1=value1&name2=value2

GET vs POST Basics

In between new additions to our vocabularies (think “idempotent“), sections 9.19.3 & 9.5 of RFC 2616 help us to conclude the first rule of GET vs POST…

Rule #1: Use GET for safe actions and POST for unsafe actions.

The RFC instructs internet browsers to make users aware that, when reissuing a previously made POST request, that the action (e.g. placing an order) is potentially unsafe. Hence the existence of dialogue boxes like this:

However, whilst browser compliance with this RFC instruction might explain why POST should be used for unsafe actions, why shouldn’t we use POST for safe ones?

Simply put, because GET requests are more useable:

  1. GET requests can be cached
  2. GET requests can remain in the browser history
  3. GET requests can be bookmarked
  4. GET requests can be distributed & shared
  5. GET requests can be hacked (ask Jakob!)

Note: If you need the best of both worlds, an unsafe action can be made safe by making it idempotent, so that it makes no difference how many times it’s requested. You do this by giving the request a unique ID and using server-side validation to ensure that a request with that ID hasn’t already been processed. In fact, if you’re in search of excellence, all unsafe actions should be made idempotent as nothing can stop users from ignoring warnings.

GET vs POST Extended

Rule #2: Use POST when dealing with sensitive data.

Because query strings are transferred openly in GET requests, we have to consider our security and that of our users when dealing with sensitive data like passwords or credit card numbers:

  1. Our users… because they may not realise that they are sharing sensitive data when they share a URL or that it can be viewed in the browser history by other people using the same computer.*
  2. Ourselves… because we may be breaking laws by unexpectedly storing data that we’re not allowed to (like credit card CV2s) in log files.

* This doesn’t apply when working within an AJAX environment.

Rule #3: Use POST when dealing with long requests.

Although the RFC doesn’t lay down any length-related guidelines, Internet Explorer – with its insistence on finding ways to make things difficult for us – enforces a maximum URL length of 2,048 characters.

Rule #4: Use GET in AJAX environments.

When using XMLHttpRequest, browsers implement POST as a two-step process (sending the headers first and then the data). This means that GET requests are more responsive – something you need in AJAX environments.

Summary

Although rules usually exist for good reasons, it’s good to know the logic behind them so they can be embraced fully. I, myself, hate rules that don’t have explanations and I hope that the above helps to justify the rules of GET vs POST.

Choosing between methods is a systematic process which should be part of second nature. Until then, this little workflow can be used:

分享到:
评论
8 楼 Hooopo 2009-12-19  
全冠清你的账号回复没有提示…真诡异
7 楼 全冠清 2009-09-24  
误入,飘过
6 楼 Hooopo 2009-08-20  
引用
I think REST describes it right. GET is only about URIs, it is about getting the representation of a resource identified by a URI. Now some prefer pretty URIs but using query variables is perfectly legal in HTTP.

5 楼 Hooopo 2009-08-20  
AJAX环境中get响应快速,post需要先发送header再发送data
4 楼 Hooopo 2009-08-20  
引用
Internet Explorer – with its insistence on finding ways to make things difficult for us – enforces a maximum URL length of 2,048 characters


fvck ie...
3 楼 Hooopo 2009-08-20  
get会在url中暴露敏感信息(密码,账号等),使用AJax方式get不会
2 楼 Hooopo 2009-08-20  
所有的get应该是幂等的
1 楼 Hooopo 2009-08-20  
引用
GET requests can be cached
GET requests can remain in the browser history
GET requests can be bookmarked
GET requests can be distributed & shared
GET requests can be hacked (ask Jakob!)

相关推荐

    Http协议自测工具(Get or Post)

    通过这个工具,你可以输入API的URL、选择请求方法(Get或Post)、设置请求头以及发送的数据,然后查看服务器返回的响应。这对于快速调试WebApi接口和学习如何使用HTTP协议进行通信非常有帮助。 “XmlVector.xml”...

    C# Http Post Get

    ### C# 中实现 HTTP GET 和 POST 请求 在 C# 编程语言中,根据 HTTP 协议创建 GET 和 POST 方式的 HTTP 请求是一项基本且重要的技能。以下是对如何使用 C# 创建这两种请求的具体介绍。 #### 一、理解 HTTP GET ...

    Http : Get or Post SimpleHttp.Jar

    示例:System.out.println(SimpleString.getString(SimpleHttpGet.getInputStream("http://www.baidu.com", null)));

    Linux下模拟http的get/post请求(curl or wget)详解

    首先,让我们了解一下GET和POST请求的基本概念。GET请求是HTTP协议中最常见的请求类型,用于从服务器获取资源。它将请求参数附在URL后面,通常用于查询操作。POST请求则用于向服务器发送数据,比如提交表单或创建新...

    ASP.NET Core Web API,具有单个控制器的多个Get或Post方法

    ASP.NET Core Web API 是微软开发的一个用于构建网络API的强大框架,尤其适用于跨平台的应用服务。...阅读提供的PDF文件`ASP-NET-Core-Web-API-Multiple-Get-or-Post-Methods.pdf`将进一步深化对这一主题的理解。

    详解WordPress开发中的get_post与get_posts函数使用

    get_post() 在一般主题制作时,get_post()函数我们一般很少会用到,但因为后面会讲到get_posts(),所以我们不得不先讲一下这个单数形式。这个函数的主要作用是,将一片指定的文章以一个对象或是数组的形式返回,以便...

    c# http post get

    - For GET requests, the `OpenRead` method is used, which can accept a URL and return the response text or stream. - For POST requests, the `OpenRead` method can also be used with an additional ...

    ajax快速解决参数过长无法提交成功的问题

    查了很多资料都说,get方法的参数是有限制的,post方法的... type: "post", // post or get contentType:"application/json;charset=utf-8", data: “requestTag=”+tag+"&content="+content, //请求参数 url: "po

    wordpress获取文章类型函数:get_post_type()

    【说明】 检索当前文章或给定文章的文章类型。【用法】 【参数】 $post (混合)(可选)文章对象或文章ID... * Retrieve the post type of the current post or of a given post. * * @since 2.1.0 * * @uses $

    mini-server-http.zip_delphi linux_it_linux http get post_respons

    MiniWeb is an embeddable, cross-platform, small-footprint HTTP server implementation, implementing basic GET and POST requests as well as request handling dynamic content generating. It works on x86 ...

    wordpress文章函数:get_post_mime_type()

    $mime_type=get_post_mime_type( 36 );//假设id为36的文章是图片类型是“image/jpeg” echo $mime_type; //打印出image/jpeg ?> 修改记录 自2.0.0版本后【源文件】 get_post_mime_type() 位于wp-includes/post....

    PHP实现支持GET,POST,Multipart/form-data的HTTP请求类

    本文实例讲述了PHP实现支持GET,POST,Multipart/form-data的HTTP请求类及其应用,分享给大家供大家参考。具体如下: HttpRequest.class.php类文件如下: <?php /** HttpRequest class, HTTP请求类,支持GET,POST,...

    wordpress获取当前文章所有的自定义字段:get_post_custom_keys()

    get_post_custom_keys用于获取当前文章所有的自定义字段的键值。 返回一个数组,数组中含有特定文章或页面的所有自定义字段的关键字。 【用法】 【参数】 $post_id (整数)(可选)将要检索的自定义字段的文章...

    wordpress获取自定义字段get_post_meta函数使用介绍

    get_post_meta函数用法: get_post_meta($post_id, $key, $single); 该函数有3个基本参数: $post_id —— 所检索数据的文章的ID,使用 $post->ID 来获取文章的ID。 $key —— 要检索的自定义字段名称 $single ——...

    Mastering PostCSS for Web Design(PACKT,2016)

    PostCSS is a tool that has ...Write a custom syntax in PostCSS while still using pre-built syntaxes such as Less, SASS, or Stylus Provide support for future CSS such as CSS4 using current CSS3 classes

    WordPress开发中的get_post_custom()函数使用解析

    以上就是关于`get_post_custom()`函数及其相关函数`get_post_custom_values()`和`get_post_custom_keys()`的详细解析。在实际开发中,这些函数可以帮助开发者更灵活地处理和展示自定义字段数据,增强网站的可定制性...

    post-to-host:全面的基于fsockopen的HTTP请求功能,支持GET、POST、POST with file、raw POST、POST with指定IP等

    全面的基于fsockopen的HTTP请求功能,支持GET、POST、POST with file、raw POST、POST with指定IP等。 post_to_host.php 用 fsockopen 替换 curl: 变量前缀解释: 'arr' means any array, such as: array('var1...

    wordpress获取自定义字段值函数:get_post_custom()

    同get_post_meta()一样,用于返回文章的自定义字段值得一个函数,只不过get_post_custom()函数使用起来更简单,如果在循环中使用你甚至不需要设置任何参数。 【用法】 【参数】 $post_id (整数)(可选)将要检索...

    orcle发起get请求

    -- 该参数代表我发送的POST报文多长,不可少 UTL_HTTP.SET_HEADER(http_req, 'Content-Length', LENGTHB(request_env)); -- 发送请求 UTL_HTTP.WRITE_LINE(http_req, request_env); -- 赋值http返回 ...

Global site tag (gtag.js) - Google Analytics