On 10/14/07, Dave Watts <[EMAIL PROTECTED]> wrote:
> Data changes should not be triggered by GET requests.
Whilst I agree and that guides whether I use GET or POST within my UI
(and it's OK to use method="get" on forms if they are query-only forms
such as searches), I would question whether it's really important
*inside* your application code to distinguish between GET and POST.
Question to Dave: do your applications actually verify that any data
changing requests really use POST?
Suggestion to Matt et al: since all you really need to ensure is that
certain requests came from a POST, you can write a filter (or whatever
equivalent your framework de jour supports) that checks the request
was a POST and encapsulate the logic in that one place (testing
CGI.HTTP_METHOD). Then for a data changing request, just add that
filter and you're done.
Fusebox example: in <prefuseaction> on your controller circuit, check
the fuseaction against a list of "must use POST" fuseactions and check
the CGI variable:
<set name="dataChangingActions" value="doupdate,dosomething" />
<if
condition="listFindNoCase(dataChangingActions,myFusebox.originalFuseaction)">
<true>
<if condition="CGI.HTTP_METHOD is 'POST'">
<false>
<!-- illegal GET -->
</false>
</if>
</true>
</if>
--
Sean A Corfield -- (904) 302-SEAN
An Architect's View -- http://corfield.org/
"If you're not annoying somebody, you're not really alive."
-- Margaret Atwood
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Create robust enterprise, web RIAs.
Upgrade to ColdFusion 8 and integrate with Adobe Flex
http://www.adobe.com/products/coldfusion/flex2/?sdid=RVJP
Archive:
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:291079
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe:
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
