“Updates are currently disallowed on GET requests” error creating a site collection

Question

I am using SharePoint Server 2007 Enterprise with Windows Server 2008 Enterprise. I have deployed a publishing portal. I am developing a ASP.Net web application using VSTS 2008 + C# + .Net 3.5 + ASP.Net + SharePoint Server 2007 SDK.

Here is my code snippets and I got error -- "Updates are currently disallowed on GET requests". Any ideas how to fix?

Microsoft.SharePoint.SPException: Updates are currently disallowed on GET requests. To allow updates on a GET, set the 'AllowUnsafeUpdates' property on SPWeb.

        protected void Page_Load(object sender, EventArgs e)
        {
            try
            {
                SPWebApplication webApp = SPContext.Current.Site.WebApplication;
                SPSiteCollection siteCollections = webApp.Sites;
                foreach (SPSite item in siteCollections)
                {
                    SPWeb webItem = item.OpenWeb();
                    webItem.AllowUnsafeUpdates = true;
                }

                SPSite newSiteCollection = siteCollections.Add("sites/myblog",
                    "New Sample Site", "New Sample Site Description", 1033, "BLOG#0",
                    "foo\\foouser", "Owner name", "owneremail@foo.com");
            }
            catch (Exception ex)
            {
                Response.Write(ex.ToString() + "\t" + ex.StackTrace);
            }
        }

Update 1: I met with the same error with the following code,

        SPContext.Current.Web.AllowUnsafeUpdates = true;
        SPWebApplication webApp = SPContext.Current.Site.WebApplication;
        SPSiteCollection siteCollections = webApp.Sites;
        /*
        foreach (SPSite item in siteCollections)
        {
            SPWeb webItem = item.OpenWeb();
            webItem.AllowUnsafeUpdates = true;
        }
        */
            SPSite newSiteCollection = siteCollections.Add("sites/myblog",
                "New Sample Site", "New Sample Site Description", 1033, "BLOG#0",
                "foo\\foouser", "Owner name", "owneremail@foo.com");

Answer 1

Be aware that SPSite also has an AllowUnsafeUpdates property that you can try.

If you change this, do it inside a try/finally so that you are sure not to make your site vounerable to cross-side scripting attacks (it would seem from your code sample that you already have bypassed the XSS protection from all your sub-sites, so you might want to enable that again!).

Eventually the AllowUnsafeUpdates property will be reset to its default value (any operation that call SPWeb.Invalidate() amongst others), but until then your site will be prone to XSS attacks.

Answer 2

I think you need to set AllowUnsafeUpdates on the Web that is invoking this code.

bool currentSetting = SPContext.Current.Web.AllowUnsafeUpdates;
SPContext.Current.Web.AllowUnsafeUpdates = true;

... do your work here

SPContext.Current.Web.AllowUnsafeUpdates = currentSetting;

Answer 3

If you really want to do this with a GET-request, performing 'SPUtility.ValidateFormDigest()' should also do the trick, without needing to touch the AllowUnsafeUpdates property (which is really something you should avoid, in my opinion)