Using forms rather than links to perform actions

I quite often build pages where there’s a link on the page that actually performs an action (rather than just jumps to another page). For example, imagine a list of documents; next to each document you have a *[Delete]* link, which goes to a cgi (passing the document’s ID in the querystring); the CGI deletes the document and redirects back to the page you were on. I never saw any problem with this.

Don’t do this.

It’s all fine, and a nice technique…until you run a spider over the site which follows every link. And then it deletes all the documents. Oops.

A link like this:

<a href="delete.cgi?id=999"><img src="trashcan.gif" alt="[Delete]"></a>

could be replaced with:

If you’re looking for a textual link, rather than an image, then you’re a little more constrained; you could use a link that calls JavaScript to submit the form, but everyone should know by now that that’s bad. In a CSS-supporting browser you could style the `` to not look like a button. Of course, you might think, not unreasonably, that it *should* look like a button, since it does an action. This could save you a lot of potential grief. **Update:** changed the form to POST rather than GET, as reminded by Phil, Tom, and Jim in comments. This might require minor alterations to your CGI, depending on how it’s written; if it’s ASP, for example, you need to swap `Request.QueryString` for `Request.Form`.

More in the discussion (powered by webmentions)

  • (no mentions, yet.)