Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Why is using a HTTP GET to update state on the server in a RESTful call incorrect?

OK, I know already all the reasons on paper why I should not use a HTTP GET when making a RESTful call to update the state of something on the server. Thus returning possibly different data each time. And I know this is wrong for the following 'on paper' reasons:

  • HTTP GET calls should be idempotent
  • N > 0 calls should always GET the same data back
  • Violates HTTP spec
  • HTTP GET call is typically read-only

And I am sure there are more reasons. But I need a concrete simple example for justification other than "Well, that violates the HTTP Spec!". ...or at least I am hoping for one. I have also already read the following which are more along the lines of the list above: Does it violate the RESTful when I write stuff to the server on a GET call? & HTTP POST with URL query parameters -- good idea or not?

For example, can someone justify the above and why it is wrong/bad practice/incorrect to use a HTTP GET say with the following RESTful call

"MyRESTService/GetCurrentRecords?UpdateRecordID=5&AddToTotalAmount=10"

I know it's wrong, but hopefully it will help provide an example to answer my original question. So the above would update recordID = 5 with AddToTotalAmount = 10 and then return the updated records. I know a POST should be used, but let's say I did use a GET.

How exactly and to answer my question does or can this cause an actual problem? Other than all the violations from the above bullet list, how can using a HTTP GET to do the above cause some real issue? Too many times I come into a scenario where I can justify things with "Because the doc said so", but I need justification and a better understanding on this one.

Thanks!

like image 247
atconway Avatar asked May 09 '12 15:05

atconway


People also ask

Which HTTP method would result in changing the state of data on the server side?

The POST method submits an entity to the specified resource, often causing a change in state or side effects on the server. The PUT method replaces all current representations of the target resource with the request payload.

Can I update data with GET request?

In an error case, it most often returns a 404 (NOT FOUND) or 400 (BAD REQUEST). According to the design of the HTTP specification, GET (along with HEAD) requests are used only to read data and not change it. Therefore, when used this way, they are considered safe.

What is difference between GET and POST method in REST API?

Difference between GET and POST Method in APINo limit on data length is there in POST request. Get is simple to use because of its nature of appending data to URL only. Post requires header information, body, etc which makes it hard to use as compared with Get request. Get requestsrequest can be cached.

Which HTTP method would typically be used to retrieve a resource from a server?

GET. GET requests are the most common and widely used methods in APIs and websites. Simply put, the GET method is used to retreive data from a server at the specified resource.


2 Answers

The practical case where you will have a problem is that the HTTP GET is often retried in the event of a failure by the HTTP implementation. So you can in real life get situations where the same GET is received multiple times by the server. If your update is idempotent (which yours is), then there will be no problem, but if it's not idempotent (like adding some value to an amount for example), then you could get multiple (undesired) updates.

HTTP POST is never retried, so you would never have this problem.

like image 92
Francis Upton IV Avatar answered Oct 30 '22 22:10

Francis Upton IV


If some form of search engine spiders your site it could change your data unintentionally.

This happened in the past with Google's Desktop Search that caused people to lose data because people had implemented delete operations as GETs.

like image 30
Darrel Miller Avatar answered Oct 30 '22 23:10

Darrel Miller