How to POST

[Ben Han]

I've never written an API before and I'm having trouble figuring out how to make POST calls. I think I've got the GET calls for status and winner working properly, but when I attempt somethig like http://localhost:8080/bid?name=foo&client=1234&bid=100, I only see HTTP GET calls output in the terminal. Do I need to do something with forms? I'm using web.py

[Josh Rosen]

There are a bunch of techniques to issue POST requests; the specifics depend on which tool or library you're using.

Writing a web form would work, but that's overkill.

I used htty (http://htty.github.com/htty/) to interactively issue requests. 

You could also do this with curl (http://superuser.com/questions/149329/what-is-the-curl-command-line-syntax-to-do-a-post-request).

You can issue HTTP requests from Python using the urllib2 module (http://docs.python.org/2/library/urllib2.html) or a third-party wrapper for it (such as http://docs.python-requests.org/en/latest/). 

- Josh

[Ben Han]

I just threw in a self.POST into the GET method. Is this reasonable? One wierd side affect is that the arguments I passed to POST had "u" prepended to them.

[Ben Han]

On closer examination, it looks like if I try to return the arguments to a GET call there are u's prepended, but if I print to terminal they aren't there. So I guess at the backend their going through normally.

[Josh Rosen]

It might be a good idea to test your server with POST requests because that's what our testing scripts will do.

Aliasing the GET handler to the POST handler might simplify debugging, but it's a bad practice.  The HTTP specification says that GET requests should not have side-effects (such as creating auctions or placing bids).  POST requests are allowed to have side-effects, so browsers take special precautions to prevent duplicate / unintended requests (this is what happens when your browser warns you about duplicate form resubmission).

GET requests with side-effects are a common enabler of cross-site request forgery attacks (https://en.wikipedia.org/wiki/Cross-site_request_forgery).  Imagine that I sent you a tinyurl that linked to http://localhost:8080/bid?name=foo&client=1234&bid=100; if your server accepts bids through GET requests, clicking on my obfuscated URL would cause you to place a bid without your knowledge or permission.

If you're seeing u's prepended to strings, they might be Unicode string literals:

>>> s = u"Hello, World!"

>>> s

u'Hello, World!'

>>> str(s)

'Hello, World!'

>>> repr(s)

"u'Hello, World!'"

- Josh

[Ben Han]

Josh,

Thanks for the detailed responses. I'll take a closer look at those links you posted in your first response and try to get it right.

[Akihiro Matsukawa]

Yeah, read those links they are helpful. FYI, here is how I'm doing a POST:

$ curl --data-urlencode "" "localhost:5000/bid?name=test&client=12345&bid=100"; echo

And a GET:

$ curl "localhost:5000/status?name=test"; echo

[Akihiro Matsukawa]

Oh oops sorry I just realized I copied and pasted the wrong thing for POST. POST params should be in the --data part, I believe. 

[Rohit Turumella]

I found this useful chrome extension called Postman which allows you to easily simulate requests and dissect responses in the browser if you're looking for an in-browser solution.

[Noel Moldvai]

second that Postman. makes everything faster.