How To Prevent Form Tampering

For Yii delete and update operations how do we validate that the contents of the form request came from the current site and not somewhere else.

Maybe from referer or inserting check code to verify source.

referer will not be secure that much because if attacker use the server request itself by modifing the grid data using firebug.

How about using CSRF-Validation? And only using POST for update and delete operations.

Hi Ganesh Bora,

Yii has a built-in CSRF prevention mechanism.


beat me too it. Was just reading about this in Larry Ullman’s Yii Book.

Spot on, and whilst should be a given about POST for update and delete operations, i had an interview recently where they asked me about POST/GET and I failed to mention this face palm I did get the job but couldn’t believe I didn’t know what they were getting at when they asked about it.

If the best practice dictates that only POST should be used for delete then why is Yii crud using GET for deleting a record?

In this particular and specific case, you could use two extra field, f1 and f2,

where f2 = function(f1) and then server side you check that f2 is exactly

function(f1), know algorithm of function.

Gii is using POST for delete action. Check the “actionDelete” method of a CRUD controller. :)

It’s true that the delete button of CGridView is a link to the delete action, but it will fail if you have disabled javascript, because yii.gridview.js is handling the click of a delete link to fire an ajax request using POST method.

If you create a new model using gii, Yii creates the following delete function which only allows deletes using POST:


* Deletes a particular model.

* If deletion is successful, the browser will be redirected to the 'admin' page.

* @param integer $id the ID of the model to be deleted


public function actionDelete($id)




        // we only allow deletion via POST request


        // if AJAX request (triggered by deletion via admin grid view), we should not redirect the browser


            $this->redirect(isset($_POST['returnUrl']) ? $_POST['returnUrl'] : array('admin'));



        throw new CHttpException(400,'Invalid request. Please do not repeat this request again.');


Yep I stand corrected. Thanks!