On Mon, 2009-04-13 at 15:47 -0700, Michael A. Peters wrote: > Daevid Vincent wrote: > > Just to clarify. Obfuscation is NOT a substitute for security. While I don't > > disagree with the "when's" here of GET vs POST, this statement is a bit > > misleading... > > > > Any cracker worth his salt can easily install any number of Firefox > > extensions or unix command line tools and not only view the POST data, but > > alter it as well. So if you are sending something like a password, don't > > think that it's "secure" just because Joe Average doesn't see it. If you're > > not using SSL, then it is sent as plain text like everything else. > > > > And don't assume that what you presented on a web page in select boxes and > > other form elements is the ONLY thing that is going to come back to your > > server to process. It's trivial to mangle the data. This is what SQL > > injection is all about. > > http://en.wikipedia.org/wiki/SQL_injection > > http://phpsec.org/projects/guide/3.html > > > > Daevid. > > http://daevid.com > > It also should be noted that post is not automatically secure against > csrf attacks. While most csrf attacks are get, they can and do happen > via post as well. > > I agree that passwords need to be sent via SSL. > Unfortunately most users use the same login and passwords for many > sites. So even if your site doesn't otherwise need SSL, using SSL for > login helps protect your users. > > For me the biggest advantage of post is the URLs aren't ugly. > For cases where get with a variable in the URL is useful (IE > product=BluePhone) - I prefer to handle that via mod_rewrite. > > The requests get handled by generic.php and generic.php then looks at > what the requested URI is to figure out what otherwise would have > specified by a get. > > Just as linkable as ?get=whatever and a lot prettier for the user to > look at in the url bar. > > I think doing it that way also has search engine indexing advantages. > I've done a bit of research into that, and can't find any evidence to suggest that the so-called "friendly URL's" are actually of any benefit to search engines. Just put a question into Google, and more often than not, the top few results are from forums, which tend not to use these friendly URL's. The only reason one might help with SEO is the case where a site is being redeveloped or re-versioned, and you need to preserve old page names to retain any ranking the site once had. Of course, I'm welcome for any evidence to the contrary, so if any of you have stumbled across links to any of that... Ash www.ashleysheridan.co.uk -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php