Post Support For Action Parameter Binding

Action Parameter Binding as implemented in CInlineAction currently only supports $_GET parameters, so parameters from POST requests won’t be bound.

If CInlineAction would use CHttpRequest->getParam($name) instead of $_GET[$name]

in the run() method, it would support Action Parameter Binding in both GET and POST requests.

I would prefer that behavior.

Please also see this changeset which allows easier extension of CInlineAction:

Why was it set to _GET instead of _REQUEST in the first place? Is there some security thing that I’m not understanding? (Or CHttpRequest->getParam($name))

$_REQUEST includes $_GET, $_POST… and $_COOKIE. So yes, it’s security thing: malicious user can override your variables by setting a cookie with the same name as your $_GET or $_POST parameter.

_REQUEST is evil and should never have been in the language in the first place. It serves no useful purpose whatsoever (unless you consider making things more ambiguous and less secure useful).

since version 1.1.7 this is now done via overriding getActionParams() from CController.

e.g. put this in components/Controller.php

public function getActionParams() { return array_merge($_GET, $_POST); }

to have both GET and POST parameters bind to action parameters.

Security leaks FTW ! :blink:

There is a reason register_globals is deprecated; don’t simulate it!

ScallioXTX, can you provide an example of why this is the security leak?

It may not be a very good example, but merging these two arrays makes it very easier to try and brute force stuff, as you could put the username and password in the URL and keep blasting. Creating POST requests is a little harder.

Plus I guess I’m not a fan of not knowing precisely where all my variables are coming from. It feels nasty.


Creating POST requests isn’t harder at all. Ones who’re breaking our apps are sometimes very clever guys.

POST params should only be used to post data to the server, not to route a request. So the current behaviour is fine.

Just rethinking this… Since you validate input before using it, does it really matter from which source it comes? I think I understand the different purposes of GET and POST data, but should our actions have to deal with that?

Just for everyone who’s interested in this feature request: Quite some time ago, I wrote a filter that allows pretty flexible configuration of action parameters. Have a look here: