<cfscript>

	// In this version, the SUBMITTED value is only observed in the FORM scope, which
	// means that we can be confident that the request was submitted via an HTTP POST (if
	// the value is true).
	param name="form.submitted" type="boolean" default=false;

	if ( form.submitted ) {
		// ... processing form, mutating the system state...
	}

</cfscript>
<cfoutput>

	<cfif form.submitted>
		<p>
			<mark>Thank you for your submission</mark>!
		</p>
	</cfif>

	<!--- REAL form submission. --->
	<form method="post" action="test.cfm">
		<input type="hidden" name="submitted" value="true" />
		<button type="submit">
			Submit Form
		</button>
	</form>

	<!--- FAKE (potentially malicious) form submission. --->
	<p>
		<a href="test.cfm?submitted=true">Fake Submit</a>
	</p>

</cfoutput>