... the GET and HEAD methods SHOULD NOT have the significance of taking an action other than retrieval.
These methods ought to be considered "safe" ...
$_POST superglobal and not $_GET or $_REQUEST
Try to force the use of your own forms
On form generation, store unique token in user $_SESSION and form hidden field
On submit, check token
Limits attack to only single user
Attacker would need to obtain users valid form AND session token
