On 10/14/07, Dave Watts <[EMAIL PROTECTED]> wrote: > Data changes should not be triggered by GET requests.
Whilst I agree and that guides whether I use GET or POST within my UI (and it's OK to use method="get" on forms if they are query-only forms such as searches), I would question whether it's really important *inside* your application code to distinguish between GET and POST. Question to Dave: do your applications actually verify that any data changing requests really use POST? Suggestion to Matt et al: since all you really need to ensure is that certain requests came from a POST, you can write a filter (or whatever equivalent your framework de jour supports) that checks the request was a POST and encapsulate the logic in that one place (testing CGI.HTTP_METHOD). Then for a data changing request, just add that filter and you're done. Fusebox example: in <prefuseaction> on your controller circuit, check the fuseaction against a list of "must use POST" fuseactions and check the CGI variable: <set name="dataChangingActions" value="doupdate,dosomething" /> <if condition="listFindNoCase(dataChangingActions,myFusebox.originalFuseaction)"> <true> <if condition="CGI.HTTP_METHOD is 'POST'"> <false> <!-- illegal GET --> </false> </if> </true> </if> -- Sean A Corfield -- (904) 302-SEAN An Architect's View -- http://corfield.org/ "If you're not annoying somebody, you're not really alive." -- Margaret Atwood ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Create robust enterprise, web RIAs. Upgrade to ColdFusion 8 and integrate with Adobe Flex http://www.adobe.com/products/coldfusion/flex2/?sdid=RVJP Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:291079 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4