2

When evaluating that a form was submitted, I check that the method was post, not get. I was told this is a good way to know that the form was submitted by clicking the submit button and that it's not just being submitted by a script that's passing the data in the url.

How about the "put" method. It seems very similar to "post". Can it be more or less be used instead of "post" without much loss in the benefits provided by "post"?

samuel
  • 71
  • 2
  • 3
  • possible duplicate of [Are the PUT, DELETE, HEAD, etc methods available in most web browsers?](http://stackoverflow.com/questions/165779/are-the-put-delete-head-etc-methods-available-in-most-web-browsers) – Pekka Nov 07 '10 at 12:09
  • Errmm... the following is NOT right: "I was told this is a good way to know that the form was submitted by clicking the submit button and that it's not just being submitted by a script that's passing the data in the url." See CSRF on Wikipedia: "Using the HTTP specified usage for GET and POST, in which GET requests never have a permanent effect, is good practice but is not sufficient to prevent CSRF. Attackers can write JavaScript or ActionScript that invisibly submits a POST form to the target domain." – thejh Nov 07 '10 at 12:11
  • @Pekka, I'm not really concerned with browser compatibility now. I'm more concerned with the stage after that. For example, if it's supported and the browser can detect it, what happens after that in the web application itself, security-wise. Is a put weaker than a post or are they more or less the same? – samuel Nov 07 '10 at 12:12
  • @thejh, ok you got me there. Let's assume that the form has a "csrf" token and is protected this way, would you use a get then? I think not. You would still use a post. Not sure why, but everyone agrees that forms should be submitted with post method and not get. – samuel Nov 07 '10 at 12:15
  • @samuel: Yes, because POST is intended for submitting stuff and GET is for fetching and because POST can send more data. – thejh Nov 07 '10 at 12:16
  • @samuel what difference does all this make when you can't use `put` in a browser in the first place? Am I misunderstanding something? – Pekka Nov 07 '10 at 12:24
  • @samuel: PUT is an old method for uploading files. – thejh Nov 07 '10 at 12:33
  • 1
    PUT is an old method for uploading files in the sense that GET is an old method for getting data. It is **the** standard way to replace a resource in HTTP. – Quentin Nov 07 '10 at 12:51

3 Answers3

9

No.

HTML only supports post and get as form methods, even though HTTP has others.

Even outside the context of an HTML form, the answer is still no as PUT and POST are very different. POST is a generic "Here is some data, do something with it" method, while PUT means "Replace the resource at this URI with this data".

Quentin
  • 914,110
  • 126
  • 1,211
  • 1,335
0

If you're doing it for security reasons, GET or POST doesn't matter. Read the Wikipedia article on XSRF prevention: http://en.wikipedia.org/wiki/Cross-site_request_forgery#Prevention

thejh
  • 44,854
  • 16
  • 96
  • 107
  • Actually partly security reasons, but I want to know the difference between post and put (not get and post). I want to verify if post and put are more or less the same. I wrote you a reply to your original comment. – samuel Nov 07 '10 at 12:18
0

there is no different between put and post in security ... but put is not supported in some of service's

Mohammad Efazati
  • 4,812
  • 2
  • 35
  • 50