Codeigniter controllers: POST with private functions or no-POST with public functions?

With security in mind is it best to (for codeigniter apps):

1. Have a controller that checks for POST input and then delegate to private functions.

OR

1. Have a controller with a bunch of public functions.

My consideration here is if we a开发者_StackOverflow社区llow the users to see the URL, they can just use that URL again to do some action. But if we stick with the POST-delegation method, not everyone will be able to customize their own POST info and try to game the system.

But is this really a concern of significance?? Are there any best practices for this type of concern?

Notes: I use a lot of AJAX on the app as well.

---

Just my personal opinion but I would go with your first option, use POST with private functions.

I like to keep my Controllers locked down, they are independent and private and are in fact in control! They can instantiate the other 'service' classes (e.g. Models and Views), call the public methods in the Models and then push the data in to the Views public vars.

In my eyes it's like this:

• Controller classes are independent (perhaps extending a common base class, but the same could easily be achieved with static methods), they have private methods!
• Model classes are also largely independent but with, of course, public functions to retrieve and process data!
• View classes are where you'll get your public methods to render data to the page etc.

Just a thought on your AJAX too: I use a custom handler class to serve as a controller and abstraction layer for all AJAX requests. This way you can maintain tighter security over your AJAX access and data!

hth

---

My 2p: Enable CSRF protection (which is present in CI 2.0.3) should go some way to satisfy your security considerations about having "any old data" being POSTed to your controllers.

http://codeigniter.com/user_guide/libraries/security.html (at the end).