Menu
I had a response on a question yesterday about sending POST data to the same page with the Post-Redirect-Get pattern like this:
if (isset($_POST['Submit'])) {
// prevent resending data
header("Location: " . $_SERVER['PHP_SELF']);
}
Someone replied: sending data to same PHP page from Javascript, no AJAX or forms
It is extremely important for the purposes of web security that a POST cannot be sent via a simple URL.
Now I would like to know what is wrong with this? I want to avoid using a separate page with the confirmation message, because it just breaks the user experience and from a design POV it is a no-go.
609
It is extremely important for the purposes of web security that a POST cannot be sent via a simple URL.
I think the person who said this might have misunderstood either you or web security.
There's nothing wrong with using the same URL for different request methods (GET, POST, PUT, DELETE, HEAD etc). In fact, it's a very good idea.
144
It is extremely important for the purposes of web security that a POST cannot be sent via a simple URL.
I rather interpret this sentence that it should not be possible that a GET request on the same URL does not cause the same as a POST request. So checking for $_REQUEST['submit'] instead of implicitly checking $_POST['submit'] or $_SERVER['REQUEST_METHOD'] could be a violation.
Maybe the author did also mean that the form uses some one-time authentication token so that only authenticated requests are permitted.
35
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
