All over the internet, I see the following advice:
A GET should never change data on the server- use a POST request for that
What is the basis for this idea?
If I make a php service which inserts data in the database, and pass it parameters in the GET query string, why is that wrong? (I am using prepared statements, to take care of SQL Injection). Is a POST request in some way more secure?
Or is there some historic reason for this? If so how valid is this advice today?
Best Answer
This is not advice.
A
GET
is defined in this way in the HTTP protocol. It is supposed to be idempotent and safe.As for why - a
GET
can be cached and in a browser, refreshed. Over and over and over.This means that if you make the same
GET
again, you will insert into your database again.Consider what this may mean if the
GET
becomes a link and it gets crawled by a search engine. You will have your database full of duplicate data.I also suggest reading URIs, Addressability, and the use of HTTP GET and POST.
There is also a problem with link prefetching in some browsers - they will make a call to pre-fetch links, even if not indicated so by the page author.
If, say, your log out is behind a "GET", linked from every page on your site, people can get logged out just due to this behaviour.