星期六, 2023-07-22 14:13 — adminshiping1

form with get method ?

By qqboy on 31 May 2015 at 09:48 UTC

*注意“get”方法

*表单不使用表单id，因此始终被视为已提交，这

*可能会产生意想不到的效果。“get”方法只能用于

*不更改数据的表单，因为这只是

*'帖子。'

* Note that 'get' method
* forms do not use form ids so are always considered to be submitted, which
* can have unexpected effects. The 'get' method should only be used on
* forms that do not change data, as that is exclusively the domain of
* 'post.'
------------------
I found the above comment in drupal_build_form, can some one help to make it clear.
2 main questions:
--- that 'get' method forms do not use form ids, and why ?
--- Note that 'get' method forms do not use form ids so are always considered to be submitted, and why?
--- The 'get' method should only be used on forms that do not change data, what does it mean?

Comments

Search

RoloDMonkey commented 8 years ago

A good example of a form that would use GET is hinted at in the documentation; a search form. In Drupal, search forms pass the keywords through the URL (GET method), and they only retrieve information. They don't write any of the information that was passed to them back to the database.*

If I have Drupal's core search turned on, and I visit example.com/search/node, it will build the search form. And, it will assume the form has been submitted. Since I haven't provided any keywords, it will create an error message during validation.

If I continue to example.com/search/node/food, then I get back search results that contain the word "food". I don't have to go to the search form first, because the form is automatically submitted with the keyword that is provided in the URL. This can be very useful because it means I can use that URL as a link, and provide a shortcut to that search to anyone I want.

But, that same power is very dangerous. If a form uses the GET method, and it writes user-provided information to the database, then I could trick someone into making an unwanted change just by clicking on a link. I could even do this from a completely different site, and redirect the unsuspecting user to the site I want to attack. This is known as a Cross Site Request Forgery (CSRF).

To sum up:

- Drupal forms with the GET method immediately submit the form with the information that is passed along in the URL. For some things, this is fast and convenient.
- Since the form can be "submitted" during the same request where it is being built for the first time, it won't be able to implement the two-part security provided by the form ID and the from build ID. Therefore, Drupal doesn't bother creating and/or checking those values.
- Because there isn't any two-part security on a form with a GET request, you should never use that method to change the database.

*If you have a search form that is collecting information about what people are searching for, it is technically writing the keywords to the database. That data is handled with an extra level of scrutiny. More importantly, that data is stored in separate tables, and never used to change "important" records, like users or nodes.