Differing URL between submit button value and reality

Question

I'm building a stripped-down CMS for a school project, and am running into issues regarding deleting a user.

On the site admin page, which is only accessible via an admin login name and related password, a table of existing users is populated. Each row displays vital stats about the user, as well as a Delete button.

As this admin page is the same URL as the regular user admin page, I've used the echo statement to write out the table elements only if the login is the admin. The button calls a function in an external script via a GET request and attaches the userID to the URL.

At least thats what is supposed to happen. According to Firebug, the button element has the following attributes:

<form id="deleteUser" method="get" action="includes/scripts.php?action=deleteUser&id=18" name="deleteUser">
<input type="submit" value="Delete" name="submit">

However, when clicking on the button above, I get the URL

http://localhost/TestingLab/admin/includes/scripts.php?submit=Delete

Whats the deal?

Answer 1

Submitting a GET form will trash any existing query string.

Move the data to hidden inputs instead.

<form id="deleteUser" method="get" action="includes/scripts.php">
<input type="hidden" name="action" value="deleteUser">
<input type="hidden" name="id" value=18">
<input type="submit" value="Delete" name="submit">

… but don't change things on the server based on a GET request. GET requests are supposed to be repeatable and safe. Use POST.