HTTP Method Spoofing in CodeIgniter 4

Reading Time: 6 minutes

HTTP Method Spoofing is used to complete the HTTP verbs like PUT and DELETE. Browser provides the HTTP methods to process the action by using GET and POST method, they don’t allow to submit the request using PUT, PATCH & DELETE.

Just think about RESTful cases, when we need to do update and delete operations. Not only RESTful also it comes for web application forms when we do updates and deletes.

Inside this article we will see the concept to build HTTP Method spoofing in CodeIgniter 4. It will be very basic guide to give the whole explanation of Method spoofing concept.

Learn More –

Let’s get started.

CodeIgniter 4 Installation

To create a CodeIgniter 4 setup run this given command into your shell or terminal. Please make sure composer should be installed.

composer create-project codeigniter4/appstarter codeigniter-4

Assuming you have successfully installed application into your local system.

Environment (.env) Setup

When we install CodeIgniter 4, we will have env file at root. To use the environment variables means using variables at global scope we need to do env to .env

Either we can do via renaming file as simple as that. Also we can do by terminal command.

Open project in terminal

cp env .env

Above command will create a copy of env file to .env file. Now we are ready to use environment variables.

Enable Development Mode

CodeIgniter starts up in production mode by default. You need to make it in development mode to see any error if you are working with application.

Open .env file from root.

# CI_ENVIRONMENT = production

 // Do it to 
CI_ENVIRONMENT = development

Now application is in development mode.

What is Method Spoofing?

To perform operations using PUT, PATCH & DELETE action by providing a hidden method type and process request is generally termed as http method spoofing.

Let’s clear this concept with bit more explanation.

  • GET Method directly process when we open any URL into browsers. This is generally used to list the resource data.
  • POST Method when we submit form data to server to process it. This is generally used for save our data.
  • PUT OR PATCH Method allows us to process the action for update operation. This will update the existing data at server.
  • DELETE Method is used to delete resource data at server.

Now, here comes the twist.

When you do any operations, for example in a CRUD application which stands for Create Read Update & Delete.

What you do ? You will create a form -> Save it via POST method -> List saved data via GET method. But to update and delete how can you use PUT, PATCH or DELETE ?

So to complete the action methods of PUT, PATCH or DELETE we define these methods into a hidden input field and then submit data to server.

Normal HTML forms don’t support the PUT, PATCH, or DELETE actions. That’s why while defining the PUT, PATCH or DELETE routes which are being called from an HTML form, we will have to add a hidden _method field to the form. The value is then sent with the _method field will get used as the HTTP request method.

<form action="<Action-URL>" method="POST">

    <input type="hidden" name="_method" value="PUT">

  • Sending POST action method to server which HTML form understands, but using _method and it’s value PUT we alter the action method at server.

Method Spoofing Demonstration

Let’s create a controller. Define few routes with GET, POST, PUT & DELETE method types in Routes.php

Add Routes

Open Routes.php from /app/Config folder. Add these routes into it.


$routes->get("add-member", "Member::createMember");
$routes->post("submit-data", "Member::saveMember");
$routes->put("update-member", "Member::updateMember");
$routes->delete("delete-member", "Member::deleteMember");


Create a Controller

$ php spark make:controller Member

It will create Member.php inside /app/Controllers folder. Open Member.php and write this code into it.


namespace App\Controllers;

class Member extends BaseController
  public function createMember(){
    return 'Create member method - GET';

  public function saveMember(){
    return 'Save Member method - POST';

  public function updateMember(){
    return 'Update Member method - PUT';

  public function deleteMember(){
    return 'Delete Member method - DELETE';

Form – View File

<form action="/submit-data" method="post"> 

     <button type="submit">Submit</button>



Save Member method - POST
<form action="/update-member" method="post">

     <input type="hidden" value="PUT" name="_method"> 
     <button type="submit">Submit</button>



Update Member method - PUT
<form action="/delete-member" method="post">

     <input type="hidden" value="DELETE" name="_method"> 
     <button type="submit">Submit</button>



Delete Member method - DELETE

Now, you can see we are completing our actions via PUT & DELETE by using HTTP method spoofing concept.

We hope this article helped you to learn about i.e HTTP Method Spoofing in CodeIgniter 4 Tutorial in a very detailed way.

Online Web Tutor invites you to try Skillshike! Learn CakePHP, Laravel, CodeIgniter, Node Js, MySQL, Authentication, RESTful Web Services, etc into a depth level. Master the Coding Skills to Become an Expert in PHP Web Development. So, Search your favourite course and enroll now.

If you liked this article, then please subscribe to our YouTube Channel for PHP & it’s framework, WordPress, Node Js video tutorials. You can also find us on Twitter and Facebook.