I need to send data and compare if it exists in the API server. For example:
$a['foo'] = 'hello';
$a['bar'] = 'world';
$rest->verb('resource', $a);
If the value of foo and bar exist in the API server it should return OK else Bad Request.
I would like to use GET as verb as it sounds more proper and just send data in query string but what if foo and bar is sensitive info and much more safer transmitted via post/put? But then I am not adding or updating anything.
What is the best verb in this situation?
Well, ruling out GET1 for security concerns effectively leaves only POST/PUT (flat out ignoring DELETE).
Out of these available options, I suggest using POST because it is the more common (especially outside of REST) and less specific HTTP verb overall.
From REST for the Rest of Us:
The POST verb can carry a variety of meanings. It's the Swiss Army Knife of HTTP verbs. For some resources, it may be used to alter the internal state. For others, its behavior may be that of a remote procedure call.
1 The issue with GET is that any data to the server must be transferred via URI (resource name and query string). This response thus assumes that a request using the POST verb would not use the URI to transfer sensitive information, or it would be no better than GET. The article How Secure are Query Strings over HTTPS? discusses some concerns with data in URIs, even with HTTPS connections (which should be used for all sensitive requests).
If you send a question like that to the server and get OK back. One millisecond later, it might not be OK any longer. So if you use an old (milliseconds old but still old) response from the server as truth to accept some client input, you still might go wrong when you try to store that data later on.
You should simply try to create something on the server, which means that it SHOULD be PUT or POST. If you read about REST, it states that PUT should be used if you know the resulting resource's URL and otherwise POST. There you have it. You probably want to send 201 if everything works and 409 otherwise.
What you create on the server with PUT / POST does not have to be the final data - it might just be a token that states that a client has claimed this id or whatever.
Now, if you still want your extra pre-check before storing anything at all on the server, you might want to look at Expect or Accept or something... dont quite remember. Here are your two friends when working with REST. :)
http://en.wikipedia.org/wiki/List_of_HTTP_status_codes
http://en.wikipedia.org/wiki/List_of_HTTP_header_fields
I also recommend this very good book on REST: http://shop.oreilly.com/product/9780596529260.do
