What would be a good way to trigger an action (db search / db changes) by an html form?

Question

I have two different kind of actions I trigger by an html form:

1. db search (e.g. searchUser)
2. db changes (e.g. createNewUser, updateUserData)

Now there are different ways to trigger the actions

2.1 - put an action parameter into the query string

<form action="index.php?page_id=xx&user_id=yy&action=updateUserData" method="post">
  <input ... />
</form>

2.2 - create an input field named action

<form action="index.php?page_id=xx&user_id=yy" method="post">
  <input name="action" value="updateUserData" type="hidden" />
  <input ... />
</form>

(For the search form this two different ways do not matter, because there I use method="get")

Now my question is: what would be better - 2.1 or 2.2

I'm tending to 2.2, because I don't want actions to be triggered by URL (e.g. bookmark, link)

Answer 1

since in both cases you use method=post, go with version 2.

1. URLs have a max length that you might hit with to many parameters (some thousand chars)
2. List input fields are easier to manipulate with javascript (jQuery and alike)
3. The usual user does not see all those ugly URLs

Just remember: hidden fields are hidden, but it´s a matter of seconds to access them. So never trust user data and always escape your data. "because I don't want actions to be triggered by URL" Always assume that all users are evil. If this link could cause damage, so could a form. Use some authentification.

Answer 2

2.2 would be better if you don't want to trigger the events by the URL.

    if(isset($_POST['action'])){ //If form has been submitted

        $userid=$_POST['userid'];

        //Rest of code to add user

    }else{

       //Form not submitted

    }