[development] Handling optional parameters

Johan Forngren johan at forngren.com
Wed Sep 24 21:02:24 UTC 2008


On Wed, Sep 24, 2008 at 10:09 PM, Steven Wittens <steven at acko.net> wrote:

> Also, you shouldn't be taking any action just from a GET request, or you're
>> opening yourself to CSRF (Cross site request forgery).  To avoid this, you
>> need a confirm form that uses POST to actually trigger the action.
>>
>
>
> This isn't really about GET vs POST, but rather about using session-derived
> tokens (which you get for free with Form API). To avoid the annoyance of a
> confirm form, you can add and verify tokens manually with drupal_get_token()
> and drupal_valid_token(). Which you should be doing for ajax callbacks
> anyway, regardless of whether they are POST or GET.
>
> Steven


This is why you should use sessionsbased tokens,
http://www.codinghorror.com/blog/archives/001171.html

Regards,
Johan Forngren :: http://johan.forngren.com/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.drupal.org/pipermail/development/attachments/20080924/93141bdd/attachment.htm 


More information about the development mailing list