Richard Lynch wrote:
Jochem Maas wrote:
Gareth Williams wrote:
Wouldn't using GET instead of POST help?
in a way it could - but you don't usually want to use a GET as this
can be easily spoofed (i.e. anyone could send you a link or post one in a
forum
that would do the post action without warning you)
which comes down to: you should be 'certified' if you use GET to allow
users to submit a payment confirmation - you only want a FORM to be able
to
submit such a confirmation rather than allowing any old link to issue such
a
confirmation....
for a much better description on why using GET is 'bad' in this kind of
situation
I refer you to posts made by Richard Lynch (I think??) in the last 6 weeks
(can't remember the
subject Im afraid)
Gah!
I'm actually the one who said you should *NOT* fool yourself that POST is
any "more secure" than GET.
oops!
Only the dumbest of the dumb can't figure out how to save an HTML form and
modify it to POST whatever they want to your script.
Choosing POST over GET should be a matter of aesthetics, not security.
the point I was trying to make is that if you use POST then you know that the
user had to submit a form. the reason to use POST therefore is simply that
a _third_party_ cannot trick one of your users into clicking a link
that actually changes a
I have many scripts that will behave "the same" with GET or POST input.
Or, more correctly, would do the same thing if you were trying to spoof
them with GET/POST input.
The most common example is to view/edit a record in the database, I often
use a link with GET to get to the edit page, and that has a FORM (POST) to
the same page to update the record.
I'll use REQUEST all over, and if somebody manages to break in and wants
to use GET instead of POST to hack it, I don't see a hell of a lot of
difference.
If they're smart enough to get past the authentication, they're sure as
hell smart enough to do a forged POST. [shrug]
you are right - actually I code pretty much the way you describe - but
I was meaning a situation where the user is not the hacker but that the hacker
is a third party trying to trick the user into performing an action....
which is a lot easier to do with out alerting the user if the relevant action
can be triggered by a GET.
imagine a link:
<a href="http://www.example.com?a=10&pay=MrX";>so payment</a>
<a href="http://www.example.com?a=10000&pay=MrHacker";>read more</a>
then image that as a FORM.
my point is that the link is alot easier to drop into someone (elses) site than
a form.
but yes you are right when it comes down to it. thanks for the catch.
remind me again why we acknowledge the difference between POST and GET in 2005?
GET is only "easier" to spoof that POST if you're comparing really really
really stupid people with really really stupid people...
so you have met parents
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
