If you’re creating a RESTful web service, at some point you’re going to need to use verbs other than GET and POST. The problem is, none of the browsers available today will submit a form with anything other than those two HTTP request methods.
There is a simple and effective cheat, however. I found it referred to as “tunneling over POST” and it works like this. For forms with a method other than GET or POST, you add a hidden field to contain the desired HTTP method, and then you change the form method to POST. Then, on the server, you check for a condition where the HTTP method is POST and the hidden field is present. In this circumstance, you interpret the request method from the hidden field, and not from the actual request method.
Of course this is a cheat and the actual method being used is POST, so if any intermediary logic depends on the method really being DELETE or PUT, then this will fail. In addition, request logs could be in error, depending on where they’re gathered. But if all you care about is planning for the future when browsers will natively support PUT and DELETE, then this hack lets you write your framework in such a way that you can remove this shim easily down the road.
Then, on the server side before any logic that might care about the HTTP request method runs, I do this:
If the request method is POST with the hidden “_tunneled_http_method” field present, then we replace the superglobal
$_SERVER['REQUEST_METHOD'] variable with the value from the hidden field, and then unset the hidden field. Bam, it’s like it never happened.