ansaurus

Question

Answer 1

A:

I will select the first option which seems to be better. If you use second options, the one with the GET, i am allowing users to tamper with my comment form which is bad and sometimes can create security issues if you do not pay attention to that.

Sarfraz 2010-02-22 01:19:56

A hidden field in the comment form can also be spoofed. "Security" is a non-issue as far as this decision goes.

Anon. 2010-02-22 01:21:38

Agree with Anon. Whatever you allow to be sent from the user's side, could actually be modified by the user.that's the same reason DRM doesn't work so far...

Alfabravo 2010-02-22 01:30:07

@Anon: I said initially "I will select the first option which seems to be better." hidden approach is better than GET way but it is not perfect too, i never said that but because i was left with two optiosn i had to select one option. Hope you understand that.

Sarfraz 2010-02-22 01:32:01

You say it "seems to be better", but you did not provide *any* valid justification for that. If you're just pulling an opinion out of nowhere, say that you're pulling it out of nowhere instead of trying to justify it with something incorrect.

Anon. 2010-02-22 01:38:47

Answer 2

+2 A:

Technically there really isn't a whole lot of difference between the two options. Personally, I'd go with the hidden POST because the URL looks cleaner and you won't have to worry about URL escaping the value*.

* That should be a non-issue for a numeric id, but oh well...

Re Edit:

However, I find that often the blog_post_id will be in the URL anyway...

This is totally up to you. If you want it there, you can put it there, but you don't need to.

...and have to go through the work of printing the hidden field.

Again, there really isn't a whole lot of difference...

<form action="/post_comment?post_id=<?php echo $id; ?>">

vs.

<form action="/post_comment">
<input type="hidden" name="post_id" value="<?php echo $id; ?>" />

The hidden input provides a better separation of concerns (on a micro-scale) and is IMHO slightly more readable, while the GET variable is one line less code... Take your pick. :)

deceze 2010-02-22 01:27:12

Except most of the time it'll be appearing in the URL anyway, because you typically want to redirect back to that blog post so you can see your comment.

Mark 2010-02-22 01:42:22

@Mark Redirecting back to the post doesn't mean you have to put anything in the URL to `/post_comment`.

deceze 2010-02-22 01:49:19

Well...no, not necessarily. I guess you could stuff that into post too?? But when you want to *view* a page, it typically makes sense to have it in the URL, no?

Mark 2010-02-23 02:39:36

@Marc Well, yes, for *viewing* a page (GET requests) you'll need some parameter in the URL, unless you want to turn RESTfulness on its head and make every page a POST page. As concerns your question though, I'd prefer to use a URL as clean as possible. You asked for opinions, that's mine. You can debate both solutions into eternity, as, again, they're equally valid. If you already have a preference, go with it! :o)

deceze 2010-02-23 02:45:28

ansaurus

tags:

views:

answers:

Hidden post input, or get variable?

related questions