48

I am developing REST WCF service and As theoretically i know when to opt for what purpose.

  • GET to get the resource
  • PUT to update
  • POST to Insert
  • DELETE to delete

But what is the disadvantage if we don't follow this above rule, suppose to insert a record i used GET method?

Fooker
  • 706
  • 1
  • 8
  • 19
  • 2
    Is there a reason you'd want to do this? – Michael Petrotta Aug 23 '13 at 05:41
  • 3
    I don't know why we should follow above rule, if we don't follow then what are the disadvantage? – Fooker Aug 23 '13 at 05:43
  • 1
    Convention. Predictability. Why should you drive on the left side of the road (right side, in the US)? – Michael Petrotta Aug 23 '13 at 05:46
  • In addition to other answers GET requests that change state are a security risk – eoghank Aug 23 '13 at 11:51
  • @eoghank, out of interest as I'm learning about RESTful APIs at the moment for my final year project; what would make using a GET request in this manner a security risk? – Seer Jan 13 '14 at 16:35
  • 1
    @Seer using GETS to change data makes it slightly easier for a CSRF attacker. This does not mean POSTs/PUTs are inherently secure of course, they still need to be protected with token to prevent CSRF. – eoghank Jan 13 '14 at 17:30
  • Aah I see, that makes a lot more sense now. More research topics for my paper! Thanks. – Seer Jan 13 '14 at 18:19
  • **tl;dr** Because there's a standard that give those verbs semantic meaning, following it allows other applications to understand your intent and process them appropriately. – d4nyll Jun 29 '17 at 17:38

3 Answers3

50

Because the HTTP GET method is specified as idempotent, a GET request, by specification, can be resubmitted with the assumption that it will not change anything on the server. This is not the case for a HTTP POST which by specification can change the status of the application running on the server.

So, by specification, one can perform an HTTP GET against a page N number of times without worrying of being changing its status.

Not respecting the specification may have various undesired results. For example, Web crawlers follow through GET request to index a site, but not POST. If you allowed an HTTP GET request to make changes to the database, you can easily understand the undesired implication it can have.

Respecting a specification is like respecting an agreement between your service or website and an array of different consumers which can be normal users' browsers but also other services like web crawlers.

You could build a site that uses a GET to insert a record, but you should also expect that whatever is built around to consume your site is functioning with the assumption that you are respecting the agreement.

As a last example, web browsers warn users when they try to refresh a page that was reached by a HTTP POST request warning that some data might be resubmitted. You do not get that layer of protection built-in browsers if the page is reached by a HTTP GET request.

You can read more here: http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html

nKognito
  • 5,946
  • 16
  • 67
  • 131
Giuseppe Romagnuolo
  • 3,185
  • 2
  • 27
  • 36
  • So, what is the difference? Uniquely, If I put a URL "www.google.com" into my browser, it apparently does something to "GET" the requested web page. Please edit your response and explain how the GET, PUT etc. verbs are different than a simple web page request from a browser. – Baruch Atta Jul 13 '18 at 16:37
10

But what is the disadvantage if we don't follow this above rule, suppose to insert a record i used GET method.

Search engines access your pages using GET requests, so if you did this, google's crawler might insert records that you didn't want.

Often, people will use POST for any kind of ajax request, with the actual action in the request's body. There's nothing very wrong with this, but the feature is there for you to use, so you might as well use it.

Dan
  • 10,532
  • 2
  • 42
  • 74
6

I faced a situation i should have used the PUT instead of GET. I had a permission insertion call going to a third party( this was google). I spin a Ajax GET request for update permission call to my Servlet and from their the call went to external service. The external service took considerable amount of time to finish the request. In the mean time I was seeing duplication of same permission call in my server logs. It was browser which keep on calling the server saying are you done? since it is a GET and browser can call the server as many times as possible. Browser followed the standard and my code did not. I had the issue for not following standard.

pushya
  • 4,058
  • 9
  • 39
  • 52