[development] How to pass form values to page that actually does something.

Randy Fay randy at randyfay.com
Tue May 11 12:55:43 UTC 2010

Damien: I'd be interested in hearing more detail.

A bunch of clarifications:

- displaying results in a POST (on form submission) is just a bad
idea. Don't do that, you should use GET.

The converse is  a *really* bad idea: using a GET when changing state on the
server, of course - this is the path to XSS everywhere.  But why is it bad
to use a POST to display results?  Just using a POST to gather info that you
don't want as arguments seems innocuous to me, as long as they're properly
handled. An example might be a one-time in-form (non-session)
authentication, which must not be a GET. So please elaborate.

> - if you really want to display results in a POST (remember: don't do
> that), use the form submit function for what it is designed to do:
> take action. In your case the action is to rebuild the form and
> display the result there: store the results in $form_state['storage'],
> and display that in your form callback.
Every multistep form is essentially rebuilding the form based on prior
input. What is the difference between that and displaying (correctly
processed) results by processing information in the form builder function?

Thanks for your thoughts,

> Damien

Randy Fay
Drupal Module and Site Development
randy at randyfay.com
+1  970.462.7450
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.drupal.org/pipermail/development/attachments/20100511/f4d20d1a/attachment.html 

More information about the development mailing list