On Monday 05 June 2006 00:41, Rabin Vincent wrote: > On 6/4/06, Larry Garfield <larry@xxxxxxxxxxxxxxxx> wrote: > > Only if delete.php is a confirmation page. Never ever ever have a > > delete function that operates solely by GET. > > > > Here's why: http://thedailywtf.com/forums/thread/66166.aspx > > Yes, I've seen that one before. IMO the main problem there > is the faulty authentication system. If you put delete links > public, and fail to put proper authentication in place, someone's > going to delete your content, no matter if the delete action > is a POST submit button or a GET link. > > I don't see how POST is better/more secure for a delete action. > > Rabin Data-modification actions should always be made via POST, not GET, because they're harder to make by accident that way. They can't be bookmarked or easily picked up by spiders and search engines. GET should be used only for read-only actions. That's what it's for (GETting data). -- Larry Garfield AIM: LOLG42 larry@xxxxxxxxxxxxxxxx ICQ: 6817012 "If nature has made any one thing less susceptible than all others of exclusive property, it is the action of the thinking power called an idea, which an individual may exclusively possess as long as he keeps it to himself; but the moment it is divulged, it forces itself into the possession of every one, and the receiver cannot dispossess himself of it." -- Thomas Jefferson -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
