[AJAX] - GET or POST ?

Thor

Thor

Honorary Master
Joined
Jun 5, 2014
Messages
44,413
Reaction score
7,522
Location
Bellville
Hi when I use something like:

Code: 
xhttp.open("GET", "my_file.text", true);
xhttp.send();

Is GET fine or should I always use POST? I am asking, because everyone tells me something else regarding the two and I get the feeling POST is a lot more robust, but leaves me to think it's slower than GET?

Side Note: I am just referring to AJAX usages as I always use POST for user input data.
 
when to use GET or POST is pretty simple.

Any action that could cause data on the server to change should always be driven by anything other than GET. In other words, these verbs: POST, PATCH, PUT, DELETE.

Any action that is basically only a read and will not alter the data should be done with a GET. "Should" is a little bit strong, maybe "probably should" is better.

You probably need to learn more about async vs sync wrt ajax calls.
 
Last edited:
Thor187 said:
Hi when I use something like:

Code: 
xhttp.open("GET", "my_file.text", true);
xhttp.send();

Is GET fine or should I always use POST? I am asking, because everyone tells me something else regarding the two and I get the feeling POST is a lot more robust, but leaves me to think it's slower than GET?

Side Note: I am just referring to AJAX usages as I always use POST for user input data.
Click to expand...

That's a bit confusing. GET is used to retrieve data and POST is used to send data to the server ( normally an initial bit of data ) whereas PUT is used to update. POST would be heavier than a GET I assume because it normally carries more parameters but if the server is responding to a POST request, I think it's just interpreting a bad call correctly.

Anyway, GET to me is what should be used if you are retrieving data.

To quote W3Schools

GET or POST?
GET is simpler and faster than POST, and can be used in most cases.

However, always use POST requests when:

A cached file is not an option (update a file or database on the server).
Sending a large amount of data to the server (POST has no size limitations).
Sending user input (which can contain unknown characters), POST is more robust and secure than GET.
Click to expand...
 
From a security point of view it's better to use POST when sending data to a server using SSL. If you use GET to send data via querystring parameters then the data you're sending will always be unencrypted in the url, even if you're using an SSL-enabled URL. When you use a POST or PUT request, the data is in the payload of the HTTP request and is encrypted when using an SSL-enabled URL. So, as per the previous posts, it's best practice to use POST or PUT when sending data to the server.
 
You get when you don't need to send the server anything in order to get a result.

You post when you need to send something to the server in order to get a result. Like an ID or something.
 
While you are at it, remember to not forget about CSRF and that other OWASP issue where you can access anyone's customer detail after login :whistle:
 
deweyzeph said:
From a security point of view it's better to use POST when sending data to a server using SSL. If you use GET to send data via querystring parameters then the data you're sending will always be unencrypted in the url, even if you're using an SSL-enabled URL. When you use a POST or PUT request, the data is in the payload of the HTTP request and is encrypted when using an SSL-enabled URL. So, as per the previous posts, it's best practice to use POST or PUT when sending data to the server.
Click to expand...

This is actually incorrect. SSL sets up the secure connection before the url is requested, so the querystring is encrypted along with the url. Obviously the domain is known, but that's all that can be intercepted.

You should still be cautious about what you put in the querystring, because they can leak in other ways (more likely logged, if an html page other assets, etc.)
 
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter
X