24 Sep
2008
24 Sep
'08
10:09 p.m.
Also, you shouldn't be taking any action just from a GET request, or you're opening yourself to CSRF (Cross site request forgery). To avoid this, you need a confirm form that uses POST to actually trigger the action.
This isn't really about GET vs POST, but rather about using session- derived tokens (which you get for free with Form API). To avoid the annoyance of a confirm form, you can add and verify tokens manually with drupal_get_token() and drupal_valid_token(). Which you should be doing for ajax callbacks anyway, regardless of whether they are POST or GET. Steven