GET vs POST

Discussion corner for Developers of Serendipity.
Post Reply
User avatar
onli
Regular
Posts: 2163
Joined: Tue Sep 09, 2008 10:04 pm
Contact:

GET vs POST

Post by onli » Sat Mar 14, 2015 10:42 pm

I talked shortly with Mattsches about it in our meeting, but found now the corresponding code: We are doing strange things with GET and POST parameters. In fact, we are basically ignoring the difference in parts of the core. I propose to enable the distinction in out next major version

In serendipity_config,inc.php, there are these line:

Code: Select all

// We don't care who tells us what to do.
if (!isset($serendipity['GET']['action'])) {
    $serendipity['GET']['action'] = (isset($serendipity['POST']['action']) ? $serendipity['POST']['action'] : '');
}

if (!isset($serendipity['GET']['adminAction'])) {
    $serendipity['GET']['adminAction'] = (isset($serendipity['POST']['adminAction']) ? $serendipity['POST']['adminAction'] : '');
}
Also, we are actively using GET requests where we should use POST, for example when confirming the deletion of an image or for adding a comment-attribute to the spamblock-list. This is critical, because any browser with a prefetch-function could trigger actions by accident.

User avatar
garvinhicking
Core Developer
Posts: 30015
Joined: Tue Sep 16, 2003 9:45 pm
Location: Cologne, Germany
Contact:

Re: GET vs POST

Post by garvinhicking » Sun Mar 15, 2015 12:47 pm

Yes. Because we don't have $serendipity['REQUEST'] and making each plugin or core part check "if GET... OR POST..." would have disturbed readability.

The better term would be to use "REQUEST" of course, but that'd break BC with a lot of plugins. I don't think it really hurts for specific parameters like these.

Also, we are actively using GET requests where we should use POST, for example when confirming the deletion of an image or for adding a comment-attribute to the spamblock-list. This is critical, because any browser with a prefetch-function could trigger actions by accident.
I think this is mostly because using POST would require a <form>, and often such links are embedded within a <form> and couldn't use a "subform". But of course, whereever a GET request really changes something, we should find ways to perform that with a POST request only!
# Garvin Hicking (s9y Developer)
# Did I help you? Consider making me happy: http://wishes.garv.in/
# or use my PayPal account "paypal {at} supergarv (dot) de"
# My "other" hobby: http://flickr.garv.in/

Post Reply