Daevid Vincent wrote:
Just to clarify. Obfuscation is NOT a substitute for security. While I don't
disagree with the "when's" here of GET vs POST, this statement is a bit
misleading...
Any cracker worth his salt can easily install any number of Firefox
extensions or unix command line tools and not only view the POST data, but
alter it as well. So if you are sending something like a password, don't
think that it's "secure" just because Joe Average doesn't see it. If you're
not using SSL, then it is sent as plain text like everything else.
And don't assume that what you presented on a web page in select boxes and
other form elements is the ONLY thing that is going to come back to your
server to process. It's trivial to mangle the data. This is what SQL
injection is all about.
http://en.wikipedia.org/wiki/SQL_injection
http://phpsec.org/projects/guide/3.html
Daevid.
http://daevid.com
It also should be noted that post is not automatically secure against
csrf attacks. While most csrf attacks are get, they can and do happen
via post as well.
I agree that passwords need to be sent via SSL.
Unfortunately most users use the same login and passwords for many
sites. So even if your site doesn't otherwise need SSL, using SSL for
login helps protect your users.
For me the biggest advantage of post is the URLs aren't ugly.
For cases where get with a variable in the URL is useful (IE
product=BluePhone) - I prefer to handle that via mod_rewrite.
The requests get handled by generic.php and generic.php then looks at
what the requested URI is to figure out what otherwise would have
specified by a get.
Just as linkable as ?get=whatever and a lot prettier for the user to
look at in the url bar.
I think doing it that way also has search engine indexing advantages.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
