Fetch POST via form action attribute

I don't remember where I read this: Passing data via the form action attribute is safer than passing it via a href attribute. Safer in terms of validatin开发者_StackOverflow社区g the segment because it's $_POST and you can compare tokens for csrf protection when a form is submitted unlike a direct link. Is this true?

If suppose I have the following action in a form,

<form method="post" action="/edit/pictures/delete/2235/">

Can I get the URI segment 2235 via $_POST?

Edit: Please assume that there is a URL rewrite. 2235 is a variable value. I'm not asking how to retrieve 2235, just if I can retrieve it via $_POST

---

On your action page, explode $_SERVER['REQUEST_URI'].

$parts = explode('/', $_SERVER['REQUEST_URI']);

foreach($parts as $slug)
{
    echo htmlspecialchars($slug);
}

You should be able to extract that ID.

Another approach is just to put it as a hidden HTML field:

<input type="hidden" name="id" value="2235" />

---

When you POST a form to a php endpoint, $_POST only gets populated with data from the input elements. The request path is available in $_SERVER['REQUEST_URI']. To get the id id out of the request path, you'll probably want to use a regular expression like this:

preg_match('/\/\d+\/?$/', $_SERVER['REQUEST_URI'], $matches);
$matches[0] // Contains '2235'

Regarding your question about safety -- the answer is POST is absolutely no safer than GET. They are different HTTP verbs, and carry data in a slightly different way, but either way the data your app receives cannot be trusted. It's just as easy to spoof a POST request (like a form) as it is to spoof a GET request (like an anchor link).

---

If you use such URLs, you'll probably have some .htaccess that translates it to query parameters accessed from $_GET - try something like this [writing from my mind, needs testing]:

RewriteRule ^/edit/pictures/delete/(.+)$ ?module=pictures&action=delete&id=$1

If not, you can always access $_SERVER['REQUEST_URI'] and extract necessary information from there.