Using forms rather than links to perform actions

I quite often build pages where there’s a link on the page that actually performs an action (rather than just jumps to another page). For example, imagine a list of documents; next to each document you have a *[Delete]* link, which goes to a cgi (passing the document’s ID in the querystring); the CGI deletes the document and redirects back to the page you were on. I never saw any problem with this.

Don’t do this.

It’s all fine, and a nice technique…until you run a spider over the site which follows every link. And then it deletes all the documents. Oops.

A link like this:

<a href="delete.cgi?id=999"><img src="trashcan.gif" alt="[Delete]"></a>

could be replaced with:

If you’re looking for a textual link, rather than an image, then you’re a little more constrained; you could use a link that calls JavaScript to submit the form, but everyone should know by now that that’s bad. In a CSS-supporting browser you could style the `` to not look like a button. Of course, you might think, not unreasonably, that it *should* look like a button, since it does an action. This could save you a lot of potential grief. **Update:** changed the form to POST rather than GET, as reminded by Phil, Tom, and Jim in comments. This might require minor alterations to your CGI, depending on how it’s written; if it’s ASP, for example, you need to swap `Request.QueryString` for `Request.Form`.
I'm currently available for hire, to help you plan, architect, and build new systems, and for technical writing and articles. You can take a look at some projects I've worked on and some of my writing. If you'd like to talk about your upcoming project, do get in touch.

More in the discussion (powered by webmentions)

  • (no mentions, yet.)