GET vs. POST Best Practices

Question

For my web application (PHP/MYSQL), I show a list of items and a link on each row to delete the item. Right now, the link is

Answer 1

As others have said, it's a really bad idea to use GET for destructive operations like delete, especially on Internet-facing web sites (or corporations with a Google Mini appliance) where web crawlers could accidentally delete all your data.

If you don't want to use a form, use an XMLHttpRequest to send the POST to your server. You could even set the method to DELETE if your server supports that.

If you can't use JavaScript and XHR (your users live in 1999), and you don't want to use a form in your list, use a link to a separate page where you can show the form and a probably a 'Are you sure?' message.

The best thing to do is probably a combination of the two options above: Render a link to a separate page with a form, but use JavaScript to rewrite the link as an XHR call. That way users from 1999 or 2009 can both have an optimal experience.

Answer 2

In general it's not a good idea to have a GET request that modifies the system state somehow, like deleting an item.

You could have your form look like this:

<form action='item.php' method='POST' id='form'>
    <input type='hidden' name='action' value='delete' />
    <input type='hidden' name='id' value='{item_id}' />
    <a href="" onclick="document.getElementById('form').submit(); return false;">Delete item</a>
</form>

Answer 3

Please use POST for anything that modifies persistent state in the database. You don't want crawlers visiting your delete links!
Have a read at Architecture of the World Wide Web, Volume One and URIs, Addressability, and the use of HTTP GET and POST by W3C.

Edit: Sometimes though you need to use GET. For example membership activation URLs which are sent in emails are GET and need to somehow modify the database.

Answer 4

You don't want to use Get because of the REST principle of not allowing Gets to change the state of the system. Unless you like search engines to delete all your content.

You won't need a form for each item; you can use one method=post form around the list with a delete_{id} input type=submit. Or, more cleverly, <input type=submit name="delete_item" value="{id}">. Names are allowed on submit buttons.

Per your question in the comments, <input type=submit name="action_{id}" value="Delete"> might work better, though it suffers from some issues that would work badly for localized sites. You can always revert to a HTML Button for a little more control over the presentation. It acts like a submit button by default.

The fact that you may get extra, unwanted information in the submission is mitigated by the average-case of sending back a much larger page than necessary with your proposed form-per-item solution, when you're just viewing the list. You can always use javascript to substitute the behavior of the plain-old-html form with a smarter version for javascript-capable clients.

If you're going to link to a "Get" for deletion, you should return a confirmation page with that Get that actually does a post upon confirmation.