Just to clarify. Obfuscation is NOT a substitute for security. While I don't disagree with the "when's" here of GET vs POST, this statement is a bit misleading... Any cracker worth his salt can easily install any number of Firefox extensions or unix command line tools and not only view the POST data, but alter it as well. So if you are sending something like a password, don't think that it's "secure" just because Joe Average doesn't see it. If you're not using SSL, then it is sent as plain text like everything else. And don't assume that what you presented on a web page in select boxes and other form elements is the ONLY thing that is going to come back to your server to process. It's trivial to mangle the data. This is what SQL injection is all about. http://en.wikipedia.org/wiki/SQL_injection http://phpsec.org/projects/guide/3.html Daevid. http://daevid.com -----Original Message----- From: Jason Pruim [mailto:jason@xxxxxxxxxxxxxx] Sent: Sunday, April 12, 2009 12:57 PM Subject: Re: $_GET verses $_POST POST does not display anything in the browser, so as others have said it's perfect for login's since that info will never be visible to the user. ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
