[development] How to pass form values to page that actually does something.

Greg Knaddison Greg at GrowingVentureSolutions.com
Tue May 11 13:13:58 UTC 2010

I share Randy's questions, but want to diverge to discuss one thing.

On Tue, May 11, 2010 at 6:55 AM, Randy Fay <randy at randyfay.com> wrote:
> The converse is  a *really* bad idea: using a GET when changing state on the
> server, of course - this is the path to XSS everywhere.

It's a path to CSRF (cross site request forgery) and not XSS (cross
site scripting).

But really the answer is that you should use GET/POST depending on
what makes the most sense in general and then protect it in a sane way
- either with the default token that FAPI gives you or via a
self-created/self-verified query string token.

All this and more documented at http://crackingdrupal.com/node/48


Greg Knaddison | 303-800-5623 | http://growingventuresolutions.com
Mastering Drupal | http://www.masteringdrupal.com

More information about the development mailing list