PHP hidden form processed as get request

Question

On a PHP page, I have this button with hidden fields on my page:

<form action="admin.php">
        <input name="action" value="delete" type="hidden">
        <input name="id" value="13" type="hidden">
        <input value="Delete user" type="submit">
</form>

On the page admin.php I have this:

switch ($_POST['action'])
{
    case 'delete' :
        if ($_SESSION['role'] == 2)
        {
            if ($user->deleteUser($_POST['id']))
            {
                $_SESSION['alert'] = "User deleted.";
                $_SESSION['alert_type'] = "success";
            } else
            {
                $_SESSION['alert'] = "Something went wrong while deleting the user.";
                $_SESSION['alert_type'] = "error";
            }
        } else
        {
            $_SESSION['alert'] = "You are not allowed to delete a user. You need to be an admin.";
            $_SESSION['alert_type'] = "error";
        }
        $data = $user->getProfiles();
        require 'Views/Admin.view.php';

 // etc

As expected, admin.php loads a list of users, with a delete button next to each one. When I press a delete button, the user is deleted, however the browser shows the parameters of the hidden field in the address bar, as if it was a GET request.

What is going on?

Answer 1

GET is the default form action. If you want POST you must specify it:

<form action="admin.php" method="post">