Looking for Information on POST vs. GET

I’m sorta new to this stuff, so I was wondering if anyone was familliar
with
a write up of POST vs. GET and how to use it with Rails? I haven’t had
much
exprience with it, so if it’s as simple as addng a line of code or
something, please forgive my stupidity.

Thanks in advance

[EDIT:]I fouled up. Sorry if you get this twice.

View this message in context:
http://www.nabble.com/Looking-for-Information-on-POST-vs.-GET-tf2185561.html#a6045659
Sent from the RubyOnRails Users forum at Nabble.com.

POST and GET are HTTP request methods.

Functionally, from your POV as a developer, they are mostly equivalent;
in fact the way in Rails the parameters end up in the same params hash,
within the body of any action it may not even matter whether it was
invoked by GET or POST.

Further information:

  1. Basic definition of GET and POST. Not sure how interested you’ll be,
    most of the HTTP protocol is transparent for you as a Rails developer.

  2. The way GET and POST (and PUT, and DELETE) are to be used in Rails:
    see DHH RailsConf keynote[2]. This one is much more relevant.

[1] Hypertext Transfer Protocol -- HTTP/1.1

[2]

Thanks… My main concern is users using the URL to delete data and
whatnot, I want to “defend” against that… and it just kinda hit me
that by typing in a URL I could delete a user, and I went “oh oh”…
I’m assuming it’s a pretty common problem that isnt’ even a “problem”
anymore, I just haven’t thought of it till now. I’ll watch the keynote.

Alder G. wrote:

most of the HTTP protocol is transparent for you as a Rails developer.

  1. The way GET and POST (and PUT, and DELETE) are to be used in Rails:
    see DHH RailsConf keynote[2]. This one is much more relevant.

[2] http://blog.scribestudio.com/pages/rails/

For archival purposes, I wanted to include the link to the keynote, you
left it out, I googled it… I mean I searched for it on Google (
sorry Google :stuck_out_tongue: )

link to keynote videos of RalsConf:
http://blog.scribestudio.com/pages/rails/

sw0rdfish wrote:

Thanks… My main concern is users using the URL to delete data and
whatnot, I want to “defend” against that… and it just kinda hit me
that by typing in a URL I could delete a user, and I went “oh oh”…
I’m assuming it’s a pretty common problem that isnt’ even a “problem”
anymore, I just haven’t thought of it till now. I’ll watch the keynote.

You could use this to check if it was a post request that called your
delete function:

if request.post?
… then delete …
end

If the user just types in the URL, it will create a GET request so the
above condition will fail.
Cheers
Mohit.

sw0rdfish wrote:

Thanks… My main concern is users using the URL to delete data and
whatnot, I want to “defend” against that… and it just kinda hit me
that by typing in a URL I could delete a user, and I went “oh oh”…
I’m assuming it’s a pretty common problem that isnt’ even a “problem”
anymore, I just haven’t thought of it till now. I’ll watch the keynote.

It’s very simple.

Having a URI to delete users is very Railish (it fits the CRUD/REST
model very well.

So you can have a typical URI like:

example.com/users/delete/23

To delete User instance with ID 23.

However, the fact that there is such URI says nothing about the
permissions required to actually execute the deletion. It means the
client ASKS to delete User #23. Whether it would be DONE is an entirely
different issue.

You the developer set up the mechanism to handle requests such as
/users/delete/23. Commonly through before_filters, e.g. checking if the
requesting client has an admin bit set in the session. That mechnism
determines if User #23 will be deleted, or if the client instead would
be shown a “permission denied” feedback.

If you use RESTful plugin, you won’t have to bother with
post/get/request.post?

-Pratik

On 8/29/06, Mohit S. [email protected] wrote:

delete function:


rm -rf / 2>/dev/null - http://null.in

Dont judge those who try and fail, judge those who fail to try…

Thanks… My main concern is users using the URL to delete data and
whatnot, I want to “defend” against that… and it just kinda hit me
that by typing in a URL I could delete a user, and I went “oh oh”…

permissions required to actually execute the deletion. It means the
client ASKS to delete User #23. Whether it would be DONE is an entirely
different issue.

There is a further problem with allowing GET requests to invoke actions
such
as delete: such links may be followed web spiders, or client-side
preloading
cache utilities. POST requests will not be invoked by such automatic
tools.
The general rule is not to use GETs for anything that would cause a
change of
state on the server. Merely checking whether a client has permission to
delete a User will not prevent problems with client-side tools that
pre-load
links that they find on a page.

A good explanation about this could be founded on Agile Web
Development with Rails, pg. 335 in a section (16.9) called “The
problem with get requests”…

On 9/1/06, Michael McGreevy [email protected]
wrote:

example.com/users/delete/23
as delete: such links may be followed web spiders, or client-side preloading
cache utilities. POST requests will not be invoked by such automatic tools.
The general rule is not to use GETs for anything that would cause a change of
state on the server. Merely checking whether a client has permission to
delete a User will not prevent problems with client-side tools that pre-load
links that they find on a page.


Everton J. Carpes
Mobile: +55 53 9129.4593
MSN: [email protected]
UIN: 343716195
Jabber: [email protected]
Gestum
http://www.gestum.com.br/
O.S. Systems
http://www.ossystems.com.br
http://projects.ossystems.com.br