A game I sometimes play when inflicting my presentation skills upon developers is to ask the simple question “so when do you use HTTP POST as opposed to GET?” Depressingly the answers always involve the length of ‘URLs’, size and complexity of content being sent and worst of all, hiding pages from users. Occasionally some bright spark may highlight how the browser won’t resend a POST without a dialogue, but I’ve not yet been given an answer which involved the word verb, let alone safety.
So it should have come as no surprise when reading the O’Reilly PHP in a Nutshell (November 2005, first edition, wonder what took them so long?) this afternoon that in a section discussing GET and POST, there is no mention of safety.Of course this is fairly topical with the fallout following Google’s Web accelerator (They’re baaaaaaack, Back with a vengence) just surfing around and kicking off all sorts of weird and wonderful side-effects – click here to launch the nukes!
In WSDL, we had several rounds of fairly heated discussion on just this issue surrounding describing safe operations, many people being of the opinion that frameworks and tools can’t detect when an operation is ‘safe’, and developers don’t care anyway. For my money any tool or Web framework worth writing your code inside out for should fire up a dentist’s drill, slap you around the face and repeatedly ask IS IT SAFE? until it GET’s a straight answer.