On Wed, Jun 02, 2010 at 03:29:25PM +0300, Robert Ullmann wrote:
I've protected against it by encoding the token *after* the text, title, and edit summary. Presumably no token means it won't edit?
I believe the standard HTML edit form places the hidden fields at the end for the same reason. You could also place the "action" at the end, so if truncated the API request will fail for having no action specified.
With the API, you could also use the "md5" option to action=edit (this can also help catch certain charset encoding issues). Or, theoretically, using multipart/form-data instead of application/x-www-form-urlencoded for your POST would cause your post to be malformed if truncated, but I wouldn't be extremely surprised if PHP "fixes" that.