On Wed, Jun 02, 2010 at 03:29:25PM +0300, Robert Ullmann wrote:
I've protected against it by encoding the token *after* the text,
title, and edit summary. Presumably no token means it won't edit?
I believe the standard HTML edit form places the hidden fields at the
end for the same reason. You could also place the "action" at the end,
so if truncated the API request will fail for having no action
specified.
With the API, you could also use the "md5" option to action=edit (this
can also help catch certain charset encoding issues). Or, theoretically,
using multipart/form-data instead of application/x-www-form-urlencoded
for your POST would cause your post to be malformed if truncated, but I
wouldn't be extremely surprised if PHP "fixes" that.