When the use of GET method is justified?

When the use of GET 开发者_JS百科method is justified? Is it OK to always use POST? Is it right that GET is transferred fast then POST?

The GET verb is used in Requests that are idempotent, e.g. when they lead to the same result (and have no observable side-effects on the returned resource). So, you use them for retrieval of a resource only.

The GET method means retrieve whatever information (in the form of an entity) is identified by the Request-URI. If the Request-URI refers to a data-producing process, it is the produced data which shall be returned as the entity in the response and not the source text of the process, unless that text happens to be the output of the process.

and also

1.3 Quick Checklist for Choosing HTTP GET or POST

• Use GET if:
  • The interaction is more like a question (i.e., it is a safe operation such as a query, read operation, or lookup).
• Use POST if:
  • The interaction is more like an order, or
  • The interaction changes the state of the resource in a way that the user would perceive (e.g., a subscription to a service), or
  • The user be held accountable for the results of the interaction.

However, before the final decision to use HTTP GET or POST, please also consider considerations for sensitive data and practical considerations.

See

• http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html and
• http://www.w3.org/2001/tag/doc/whenToUseGet-20040321

That second link explains the difference pretty well.

Note that there is not just GET and POST in the HTTP protocol, but a couple of other verbs, like PUT, HEAD, DELETE, etc as well. Those play a large role in RESTful applications.

Short answer:

Use GET requests when it makes sense for the user to be able bookmark the request, share the request, and come back to over and over again. It makes sense to be able to bookmark the result of a Google query, for example.

Longer answer:

Use GET requests when the user is simply fetching/viewing a resource, and doesn't have any significant side-effects on your website's data or on future requests. If the request is creating, modifying, or deleting something, it should be a POST. If the user is logging in to a website, that has effects on future requests, so it should be a POST, not a GET.

Note: Users can still change POST variables.

It's easier to for the user to change query string (GET) values, but it's not too difficult for the user to change POST values. Your website's security should take this into account! Using POST for security isn't really a valid reason, except for the fact that POST variables aren't part of the URL and aren't bookmarked, while GET variables are. This prevents users from accidentally sharing things like passwords when sharing links.

You use post for larger amounts of data, or data that you don't want to appear within the url. For instance, you don't want the url to delete a page, or create one, to appear in someones history. Neither do you want to save passwords in this way.

For search strings and such, you can easily use get. It allows users to copy a specific url, like a specific search reasult, or a link to the 5th page in a paginated list.

So, either are ok for their own purposes. The only thing you should remember is the maximum size of 8Kb for an url, including the get parameters.

GET is better for things that should be able to be bookmarked, and simple queries with few, short parameters.

POST is better for sensitive fields that the user shouldn't see, for large binary transfers, and for transfers with many fields or very long fields.

Generally, GET is preferred for search pages (like on google) and something which is not sensitive like username or password should not be shown in urls.

Consider Security Too:

You should be very selective when using GET for example if you end up coding like this:

$page = $_GET['page'];
include $page . '.php';

A bad guy can visit a url like:

http://www.yourdomain.com?page=../../../etc.pwd

Or if you do:

$id = $_GET['id'];
mysql_query('delete from table where id = $id');

A bad guy can delete all your records from db just by visiting:

http://www.yourdomain.com?id=5
http://www.yourdomain.com?id=10

There do exists solution to those mistakes however but still you should be selective when choosing between POST and GET.