php security & marking mysql records for deletion using a html link (GET)

Question

Just wondering if people think it is safe for a website to use a html link to allow users to mark their documents for deletion from their secure account page?

I have a website where users can create documents once they have registered and logged in to the website. To delete a document I include links on their account page for each document to be marked for deletion as follows :

http://www.examplewebsitename.com/delete_document.php?docid=5

The delete_document script makes sure the docid parameter is numeric, then checks using a session variable of their user id set when they logged in, wether this person actually created this document by looking up the user id of the creator of the document. If they where the creator, then it marks the document for deletion, otherwise if the current logged in person wasnt the creator then it doesnt mark the document for deletion and returns an error page.

Do you think this is a valid and safe way to mark documents for deletion, or should I be using a form and Post to do this more securely?

Answer 1

The main reason is because GET is meant to be a safe method that is used for retrieval only:

In particular, the convention has been established that the GET and HEAD methods SHOULD NOT have the significance of taking an action other than retrieval. These methods ought to be considered "safe". This allows user agents to represent other methods, such as POST, PUT and DELETE, in a special way, so that the user is made aware of the fact that a possibly unsafe action is being requested.

User agents expect this method to have no side-effects:

Naturally, it is not possible to ensure that the server does not generate side-effects as a result of performing a GET request; in fact, some dynamic resources consider that a feature. The important distinction here is that the user did not request the side-effects, so therefore cannot be held accountable for them.

This means GET should no cause any server-side state change.

Another reason, but rather a minor one, is that GET is easier to exploit that POST as there are more ways to trigger GET request than to trigger POST request. But no matter which method, both are vulnerable to CSRF attacks.

So if you make sure you’re protected against CSRF, you could even use GET for state changing requests.

Answer 2

Three main concerns I can think of about using GET as a delete operation for your app.

1. Semantic reason, GET, according to http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html, should be an idempotent method the side-effects of N > 0 identical requests is the same as for a single request.

2. More prone to CSRF, someone could post a link to http://www.examplewebsitename.com/delete_document.php?docid=5 and wrap the link into a harmless looking anchor
   <a href="http://www.examplewebsitename.com/delete_document.php?docid=5">Click here for free puppy!</a>
   If by any chance the user is logged in and clicked on that link on his trusted website, it would inadvertently get the user to delete the document.

3. Browser addon / plugin that crawls web pages and cache links might accidentally crawl the link, opens it and again, delete the document without your user knowing.

Answer 3

Generally I advice against using GET requests to manipulate data because that's not what GET is designed to do if you stick to the HTTP Spec. If you would go completely restful you should be using a DELETE request but in most cases i use a confirmation page with a form that performs a POST request to delete the record.

Read Why should you delete using an HTTP POST or DELETE, rather than GET? for the reasoning behind this. It's been asked before in some other contexts.