HttpPost vs HttpGet attributes in MVC: Why use HttpPost?

http-get asp.net-mvc attributes http-post

So we have [HttpPost], which is an optional attribute. I understand this restricts the call so it can only be made by an HTTP POST request. My question is why would I want to do this?


Imagine the following:

[HttpGet]
public ActionResult Edit(int id) { ... }

[HttpPost]
public ActionResult Edit(MyEditViewModel myEditViewModel) { ... }

This wouldn't be possible unless the ActionMethodSelectorAttributes HttpGet and HttpPost where used. This makes it really simple to create an edit view. All the action links just points right back to the controller. If the view model validates false, you just pop right back to the edit view again.

I will be bold and say this is best practice when it comes to CRUDish things in ASP.NET MVC.

EDIT:

@TheLight asked what was needed in the view to accomplish the post. It's simply just a form with method POST.

Using Razor, this would look something like this.

@using (Html.BeginForm())
{
    <input type="text" placeholder="Enter email" name="email" />
    <input type="submit" value="Sign Up" />
}

This renders the following HTML:

<form action="/MyController/Edit" method="post">    
    <input type="text" name="email" placeholder="Enter email">
    <input type="submit" value="Sign Up">
</form>

When the form is submitted, it will perform an Http Post request to the controller. The action with the HttpPost attribute will handle the request.


Its so you can have multiple Actions that use the same name, you can use the HttpPost attribute to mark which method gets handled on a Post request like so:

    public ActionResult ContactUs()
    {
        return View();
    }

    [HttpPost]
    public ActionResult ContactUs(ContactUsModel model)
    {
        //do something with model

        return View();
    }

As far as best practices for HttpGet and HttpPost, it is good practice in any web development to use HttpPost for Creates, Updates, and Deletes (data modification). Post is good because they require a form submission, which prevents users from clicking poisoned links(e.g. [https://www.example.com/Delete/1]) in emails, social sites, etc. and changing data inadvertently. If you are basically just Reading data HttpGet works great.

See OWASP for more in-depth security considerations and why the validation token increases security.


This is mainly so that you can have two Actions with the same name, one which is used on GETs and perhaps displays a form for user entry and the other being used on POSTs when the user submits the form displayed by the original GET. If the Actions are not differentiated in this way, an error will occur due to being unable to resolve which Action is intended to handle the request.

Related

Random order of rows Matlab
An invalid XML character (Unicode: 0xc) was found
Why is this Java code 6x faster than the identical C# code?
arrow keys are not functional in sqlplus
Use of PHP Magic Methods __sleep and __wakeup
What is a context?
IntelliJ IDEA highlights @Entity class names with "Cannot resolve symbol" in JPQL
fatal error: iostream.h no such file or directory [duplicate]
Precision of multiplication by 1.0 and int to float conversion
Java Read Large Text File With 70million line of text
How can I print bytea data as a hexadecimal string in PostgreSQL / pgAdmin III?
Javascript Reload Page