[development] Handling optional parameters
Steven Wittens
steven at acko.net
Wed Sep 24 20:09:18 UTC 2008
> Also, you shouldn't be taking any action just from a GET request, or
> you're opening yourself to CSRF (Cross site request forgery). To
> avoid this, you need a confirm form that uses POST to actually
> trigger the action.
This isn't really about GET vs POST, but rather about using session-
derived tokens (which you get for free with Form API). To avoid the
annoyance of a confirm form, you can add and verify tokens manually
with drupal_get_token() and drupal_valid_token(). Which you should be
doing for ajax callbacks anyway, regardless of whether they are POST
or GET.
Steven
More information about the development
mailing list