Never use links to perform actions - just use them for their intended purpose, which is to go to related content.
For example, you should never have "delete this" links on a page. Instead you should use form submissions for such actions.
In practice, the biggest reason to avoid action links is because they are vulnerable to Cross-Site Request Forgeries (CSRFs).
If a password-protected area of your site contains a "Delete" hyperlink, this will usually be a security hole. Here’s how a CSRF attack works:
1. A user visits your site and logs in. Perhaps a cookie is set to enable that user to remain logged in for an extended period.
2. Later, while still logged into your site, the user is lured into visiting a malicious web site set up by the attacker.
3. The malicious web site contains an <img> or <script> tag, the src attribute of which points to the URL of one of your “Delete” links.
4. The user’s browser dutifully (and invisibly) requests the URL in an attempt to load it as an image or script.
5. Your server, seeing a request for the “Delete” URL from a logged-in user, deletes the content without question.
The other thing is if you are having an open site where there is no registration needed then even the bots/spiders can follow the link thus actually deleting content.
Replacing your action links with form POSTs prevents simple CSRF attacks like this.
Google’s initial release of Google Web Accelerator wreaked havoc on many sites that used action links.
Situations like this are relatively rare, but we should always take care for our customer's data.
So never have links for actions like deleting/updating in forms. Instead use forms and do these things.
