This is as days pass by, by Stuart Langridge

And this is Using forms rather than links to perform actions, written , and concerning Uncategorized

I quite often build pages where there’s a link on the page that actually performs an action (rather than just jumps to another page). For example, imagine a list of documents; next to each document you have a *[Delete]* link, which goes to a cgi (passing the document’s ID in the querystring); the CGI deletes the document and redirects back to the page you were on. I never saw any problem with this.

Don’t do this.

It’s all fine, and a nice technique…until you run a spider over the site which follows every link. And then it deletes all the documents. Oops.

A link like this:

<a href="delete.cgi?id=999"><img src="trashcan.gif" alt="[Delete]"></a>
could be replaced with: 
<form action="delete.cgi" method="POST">
<input type="hidden" name="id" value="999">
<input type="image" src="trashcan.gif" alt="[Delete]">
</form>

If you’re looking for a textual link, rather than an image, then you’re a little more constrained; you could use a link that calls JavaScript to submit the form, but everyone should know by now that that’s bad. In a CSS-supporting browser you could style the <input type="submit"> to not look like a button. Of course, you might think, not unreasonably, that it should look like a button, since it does an action.

This could save you a lot of potential grief.

Update: changed the form to POST rather than GET, as reminded by Phil, Tom, and Jim in comments. This might require minor alterations to your CGI, depending on how it’s written; if it’s ASP, for example, you need to swap Request.QueryString for Request.Form.

Comments

kNo'

spiders are not supposed to access administration pages.
Pages with edit/add/delete actions would rather be protected by authentication, huh? Even a light (and not really secure) authentication (thru PHP sessions, for example) would prevent any spider to click on the links.

Jim

> spiders are not supposed to access administration pages.

Why not? It makes validation a pain in the neck for one thing.

The HTTP 1.1 specification specifically warns against this type of thing:

“In particular, the convention has been established that the GET and HEAD methods SHOULD NOT have the significance of taking an action other than retrieval. These methods ought to be considered “safe“. This allows user agents to represent other methods, such as POST, PUT and DELETE, in a special way, so that the user is made aware of the fact that a possibly unsafe action is being requested.”

Richard@Home

Another alternative is to use a Javascript behviour layer to dynamically add the delete hyperlinks (along with a confirmation alert) to the DOM once the document has loaded.

Of course, this is useless if the browser doesnt support Javascript.

sil

kNo’: if the whole web application requires authentication, then deletion won’t require any extra, and the web spider will have to already be authenticated to do any spidering at all.
Jim: yes, yes, I know *now* :-)
Richard: yep. I’ve thought about that, but I don’t like JS-only functionality without a fallback (as you note yourself), especially in a world where my users are using mobile browser devices like the Blackberry.

kNo'

kNo’: if the whole web application requires authentication, then deletion won’t require any extra, and the web spider will have to already be authenticated to do any spidering at all.

This is exactely what I meant, I may have not been clear enough, though.

Tom Pike

When I started out on our new company intranet I installed a local copy of the WDG validator (with spidering capabilities) for the specific purpose of convincing my boss that the use of GET vs POST is very important. It worked too.

Phil Ringnalda

Ah, but do you know now? What’s to stop someone from bringing in a new link checking spider in a few months which follows every safe GET form by wrapping up the hidden inputs and selected items and “foo” for every text input into the very URL you just got rid of? GET vs. POST matters.

Pete Prodoehl

I do something similar, but the first link with ‘delete’ is a GET, which brings you to a second page with the ‘Are you sure?’ and ‘This cannot be undone’ warnings, which require a POST of a form… Works ok for me.

sil

Phil: yep. I’ll update the post, though, to indicate that POST should be used. Cheers for the reminder!
(Are there any spiders that are that clever, I wonder?)

dusoft

I think it’s OK to use links for actions in closed (secured) interfaces or interfaces that require user to log-in. Search engine is unable and will be unable to delete the stuff if following link, because the page would say something like: “Not allowed“....

sil

dusoft: ah, that’s the mistake I made. I spidered the site myself; it was an internal site requiring logon. In fact, some hard work was required to allow the spider to log in, so that i tcould get a list of pages and check for broken links…

Dave Farquhar

I think leaving the trashcan where spiders could find it would have saved you a lot of grief over on that how to be rich and famous thread… I’ll never complain about my thread about the Internet vendor that ran off without filling orders again!

sil

Dave: sing it, brother. It seems to be becomnig the watchword for stupidity in the communities I mix in. I can’t decide whether it’s a useful object lesson or a sad travesty.

This website belongs to Stuart Langridge. Contact details are available. Don't eat yellow snow. Valid HTML5, at least in theory, except for the bits that aren't because I'm that futuristic that I'm ahead of the spec, oh yes. HTML5 help from Bruce Lawson, among others. Fonts from the superb FontSquirrel. End.