GET versus POST - everybody needs a reminder sometimes..

Was reading some HTTP documentation this morning, and came across the classic use of GET versus POST.

One paragraph is specially important:

In particular, the convention has been established that the GET and HEAD methods SHOULD NOT have the significance of taking an action other than retrieval. These methods ought to be considered "safe". This allows user agents to represent other methods, such as POST, PUT and DELETE, in a special way, so that the user is made aware of the fact that a possibly unsafe action is being requested.

Now, imagine you develop a content management system - you collect the page name through the method GET obviously, and retrieve the content. Nothing wrong obviously here - but you may be tempted to store this page name in your DB along with other posted data, for navigation analysis or other purpose - this is not good programming practice, and you make your system unsecure, as outlined below:

If you use GET for operations with side-effects, you make your system insecure. For example, a malicious Web page publisher outside a firewall might put a URI in a page that, when dereferenced unwittingly by someone inside the firewall, could activate a function on another system within the firewall.