HTTP Method Spoofing in CodeIgniter 4

Share this Article
Reading Time: 6 minutes
455 Views

HTTP Method Spoofing is used to complete the HTTP verbs like PUT and DELETE. Browser provides the HTTP methods to process the action by using GET and POST method, they don’t allow to submit the request using PUT, PATCH & DELETE.

Just think about RESTful cases, when we need to do update and delete operations. Not only RESTful also it comes for web application forms when we do updates and deletes.

Inside this article we will see the concept to build HTTP Method spoofing in CodeIgniter 4. It will be very basic guide to give the whole explanation of Method spoofing concept.

Learn More –

Note*: For this article, CodeIgniter v4.1 setup has been installed. May be when you are seeing, version will be updated. CodeIgniter 4.x still is in development mode.

Let’s get started.


Download & Install CodeIgniter 4 Setup

We need to download & install CodeIgniter 4 application setup to system. To set application we have multiple options to proceed.

Here are the following ways to download and install CodeIgniter 4 –

  • Manual Download
  • Composer Installation
  • Clone Github repository of CodeIgniter 4

Complete introduction of CodeIgniter 4 basics – Click here to go. After going through this article you can easily download & install setup.

Here is the command to install via composer –

$ composer create-project codeigniter4/appstarter codeigniter-4

Assuming you have successfully installed application into your local system.


Turn Development Mode On

When we install CodeIgniter 4, we have env file at root. To use the environment variables means using variables at global scope we need to do env to .env

Open project in terminal

$ cp env .env

Above command will create a copy of env file to .env file. Now we are ready to use environment variables.

CodeIgniter starts up in production mode by default. Let’s do it in development mode. So that while working if we get any error then error will show up.

# CI_ENVIRONMENT = production

// Do it to 

CI_ENVIRONMENT = development

Now application is in development mode.


What is Method Spoofing?

To perform operations using PUT, PATCH & DELETE action by providing a hidden method type and process request is generally termed as http method spoofing.

Let’s clear this concept with bit more explanation.

  • GET Method directly process when we open any URL into browsers. This is generally used to list the resource data.
  • POST Method when we submit form data to server to process it. This is generally used for save our data.
  • PUT OR PATCH Method allows us to process the action for update operation. This will update the existing data at server.
  • DELETE Method is used to delete resource data at server.

Now, here comes the twist.

When you do any operations, for example in a CRUD application which stands for Create Read Update & Delete.

What you do ? You will create a form -> Save it via POST method -> List saved data via GET method. But to update and delete how can you use PUT, PATCH or DELETE ?

So to complete the action methods of PUT, PATCH or DELETE we define these methods into a hidden input field and then submit data to server.

Normal HTML forms don’t support the PUT, PATCH, or DELETE actions. That’s why while defining the PUT, PATCH or DELETE routes which are being called from an HTML form, we will have to add a hidden _method field to the form. The value is then sent with the _method field will get used as the HTTP request method.

<form action="<Action-URL>" method="POST">

    <input type="hidden" name="_method" value="PUT">

</form>
  • Sending POST action method to server which HTML form understands, but using _method and it’s value PUT we alter the action method at server.

Method Spoofing Demonstration

Let’s create a controller. Define few routes with GET, POST, PUT & DELETE method types in Routes.php

Add Routes

Open Routes.php from /app/Config folder. Add these routes into it.

//...

$routes->get("add-member", "Member::createMember");
$routes->post("submit-data", "Member::saveMember");
$routes->put("update-member", "Member::updateMember");
$routes->delete("delete-member", "Member::deleteMember");

//...

Create a Controller

$ php spark make:controller Member

It will create Member.php inside /app/Controllers folder. Open Member.php and write this code into it.

<?php 

namespace App\Controllers;

class Member extends BaseController
{
  public function createMember(){
    return 'Create member method - GET';
  }

  public function saveMember(){
    return 'Save Member method - POST';
  }

  public function updateMember(){
    return 'Update Member method - PUT';
  }

  public function deleteMember(){
    return 'Delete Member method - DELETE';
  }
}

Form – View File

<form action="/submit-data" method="post"> 

     <button type="submit">Submit</button>

</form>

Output

Save Member method - POST
<form action="/update-member" method="post">

     <input type="hidden" value="PUT" name="_method"> 
       
     <button type="submit">Submit</button>

</form>
  

Output

Update Member method - PUT
<form action="/delete-member" method="post">

     <input type="hidden" value="DELETE" name="_method"> 
       
     <button type="submit">Submit</button>

</form>
  

Output

Delete Member method - DELETE

Now, you can see we are completing our actions via PUT & DELETE by using HTTP method spoofing concept.

We hope this article helped you to learn about i.e HTTP Method Spoofing in CodeIgniter 4 Tutorial in a very detailed way.

If you liked this article, then please subscribe to our YouTube Channel for PHP & it’s framework, WordPress, Node Js video tutorials. You can also find us on Twitter and Facebook.

Find More on CodeIgniter 4 here

Leave a Comment