[development] Handling optional parameters

Steven Wittens steven at acko.net
Wed Sep 24 20:09:18 UTC 2008

> Also, you shouldn't be taking any action just from a GET request, or  
> you're opening yourself to CSRF (Cross site request forgery).  To  
> avoid this, you need a confirm form that uses POST to actually  
> trigger the action.

This isn't really about GET vs POST, but rather about using session- 
derived tokens (which you get for free with Form API). To avoid the  
annoyance of a confirm form, you can add and verify tokens manually  
with drupal_get_token() and drupal_valid_token(). Which you should be  
doing for ajax callbacks anyway, regardless of whether they are POST  
or GET.


More information about the development mailing list