I''m sorta new to this stuff, so I was wondering if anyone was familliar with a write up of POST vs. GET and how to use it with Rails? I haven''t had much exprience with it, so if it''s as simple as addng a line of code or something, please forgive my stupidity. Thanks in advance [EDIT:]I fouled up. Sorry if you get this twice. -- View this message in context: http://www.nabble.com/Looking-for-Information-on-POST-vs.-GET-tf2185561.html#a6045659 Sent from the RubyOnRails Users forum at Nabble.com. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk -~----------~----~----~----~------~----~------~--~---
POST and GET are HTTP request methods. Functionally, from your POV as a developer, they are mostly equivalent; in fact the way in Rails the parameters end up in the same params hash, within the body of any action it may not even matter whether it was invoked by GET or POST. Further information: 1) Basic definition of GET and POST. Not sure how interested you''ll be, most of the HTTP protocol is transparent for you as a Rails developer. 2) The way GET and POST (and PUT, and DELETE) are to be used in Rails: see DHH RailsConf keynote[2]. This one is much more relevant. -- [1] http://www.w3.org/Protocols/rfc2616/rfc2616.html [2] --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk -~----------~----~----~----~------~----~------~--~---
Thanks... My main concern is users using the URL to delete data and whatnot, I want to "defend" against that.... and it just kinda hit me that by typing in a URL I could delete a user, and I went "oh oh"... I''m assuming it''s a pretty common problem that isnt'' even a "problem" anymore, I just haven''t thought of it till now. I''ll watch the keynote. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk -~----------~----~----~----~------~----~------~--~---
Alder Green wrote:> most of the HTTP protocol is transparent for you as a Rails developer. > > 2) The way GET and POST (and PUT, and DELETE) are to be used in Rails: > see DHH RailsConf keynote[2]. This one is much more relevant. > > [2] http://blog.scribestudio.com/pages/rails/For archival purposes, I wanted to include the link to the keynote, you left it out, I googled it.... I mean I searched for it on Google ( sorry Google :P ) link to keynote videos of RalsConf: http://blog.scribestudio.com/pages/rails/ --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk -~----------~----~----~----~------~----~------~--~---
sw0rdfish wrote:> Thanks... My main concern is users using the URL to delete data and > whatnot, I want to "defend" against that.... and it just kinda hit me > that by typing in a URL I could delete a user, and I went "oh oh"... > I''m assuming it''s a pretty common problem that isnt'' even a "problem" > anymore, I just haven''t thought of it till now. I''ll watch the keynote.It''s very simple. Having a URI to delete users is very Railish (it fits the CRUD/REST model very well. So you can have a typical URI like: example.com/users/delete/23 To delete User instance with ID 23. However, the fact that there is such URI says nothing about the permissions required to actually execute the deletion. It means the client ASKS to delete User #23. Whether it would be DONE is an entirely different issue. You the developer set up the mechanism to handle requests such as /users/delete/23. Commonly through before_filters, e.g. checking if the requesting client has an admin bit set in the session. That mechnism determines if User #23 will be deleted, or if the client instead would be shown a "permission denied" feedback. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk -~----------~----~----~----~------~----~------~--~---
sw0rdfish wrote:> Thanks... My main concern is users using the URL to delete data and > whatnot, I want to "defend" against that.... and it just kinda hit me > that by typing in a URL I could delete a user, and I went "oh oh"... > I''m assuming it''s a pretty common problem that isnt'' even a "problem" > anymore, I just haven''t thought of it till now. I''ll watch the keynote. > >You could use this to check if it was a post request that called your delete function: if request.post? .... then delete .. end If the user just types in the URL, it will create a GET request so the above condition will fail. Cheers Mohit. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk -~----------~----~----~----~------~----~------~--~---
If you use RESTful plugin, you won''t have to bother with post/get/request.post? -Pratik On 8/29/06, Mohit Sindhwani <mo_mail-RxrYI66vbj0AvxtiuMwx3w@public.gmane.org> wrote:> > sw0rdfish wrote: > > Thanks... My main concern is users using the URL to delete data and > > whatnot, I want to "defend" against that.... and it just kinda hit me > > that by typing in a URL I could delete a user, and I went "oh oh"... > > I''m assuming it''s a pretty common problem that isnt'' even a "problem" > > anymore, I just haven''t thought of it till now. I''ll watch the keynote. > > > > > You could use this to check if it was a post request that called your > delete function: > > if request.post? > .... then delete .. > end > > If the user just types in the URL, it will create a GET request so the > above condition will fail. > Cheers > Mohit. > > > > > >-- rm -rf / 2>/dev/null - http://null.in Dont judge those who try and fail, judge those who fail to try.. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk -~----------~----~----~----~------~----~------~--~---
> > Thanks... My main concern is users using the URL to delete data and > > whatnot, I want to "defend" against that.... and it just kinda hit me > > that by typing in a URL I could delete a user, and I went "oh oh"...> Having a URI to delete users is very Railish (it fits the CRUD/REST > model very well. > > So you can have a typical URI like: > > example.com/users/delete/23 > > To delete User instance with ID 23. > > However, the fact that there is such URI says nothing about the > permissions required to actually execute the deletion. It means the > client ASKS to delete User #23. Whether it would be DONE is an entirely > different issue.There is a further problem with allowing GET requests to invoke actions such as delete: such links may be followed web spiders, or client-side preloading cache utilities. POST requests will not be invoked by such automatic tools. The general rule is not to use GETs for anything that would cause a change of state on the server. Merely checking whether a client has permission to delete a User will not prevent problems with client-side tools that pre-load links that they find on a page. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk -~----------~----~----~----~------~----~------~--~---
A good explanation about this could be founded on Agile Web Development with Rails, pg. 335 in a section (16.9) called "The problem with get requests"... On 9/1/06, Michael McGreevy <rails-list-reply-smK7LWXX8tX9nUEv528toe+c56aDEaJX@public.gmane.org> wrote:> > > > Thanks... My main concern is users using the URL to delete data and > > > whatnot, I want to "defend" against that.... and it just kinda hit me > > > that by typing in a URL I could delete a user, and I went "oh oh"... > > > Having a URI to delete users is very Railish (it fits the CRUD/REST > > model very well. > > > > So you can have a typical URI like: > > > > example.com/users/delete/23 > > > > To delete User instance with ID 23. > > > > However, the fact that there is such URI says nothing about the > > permissions required to actually execute the deletion. It means the > > client ASKS to delete User #23. Whether it would be DONE is an entirely > > different issue. > > > There is a further problem with allowing GET requests to invoke actions such > as delete: such links may be followed web spiders, or client-side preloading > cache utilities. POST requests will not be invoked by such automatic tools. > The general rule is not to use GETs for anything that would cause a change of > state on the server. Merely checking whether a client has permission to > delete a User will not prevent problems with client-side tools that pre-load > links that they find on a page. > > > > > >-- Everton J. Carpes Mobile: +55 53 9129.4593 MSN: maskejc-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org UIN: 343716195 Jabber: everton.carpes-/eSpBmjxGS4dnm+yROfE0A@public.gmane.org Gestum http://www.gestum.com.br/ O.S. Systems http://www.ossystems.com.br http://projects.ossystems.com.br --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk -~----------~----~----~----~------~----~------~--~---