Posted by Michael Fesser on 09/30/38 12:00

..oO(The Natural Philosopher)

>Either method works: a GET method is slightly insecure, in that an
>average idiots can fake a URL and maybe get where they shouldn't:

If this can happen, then there's something seriously broken in the
scripts. Even if they can get there, they shouldn't be able to do
anything.

>Its
>harder to do with POST. There you would have to make up a web page form
>to submit with POST to the URL you were trying to screw with.

Not necessarily. There are tools that make it very easy to send
arbitrary POST data to any script. Even the WebDeveloper toolbar in
Firefox has some nice form functions, which allow to change the send
method, to modify hidden or read-only fields before sending etc.

And there are some more things about security to consider. Just three
little examples, which clearly show why it's a bad idea to use GET to
manipulate the server's state:

http://groups.google.com/group/comp.lang.php/msg/42c80631acf96223

http://thedailywtf.com/Articles/The_Spider_of_Doom.aspx

The third one happened in my own scripts. I used to have a little form
for the users to log out. It simply showed a text like "are you sure..."
and a button to confirm. Pressing it sent a POST message to the server,
causing the user to get logged out. Worked quite well.

But then someone who uses my framework on his own sites said that this
additional confirmation step would be rather useless for his visitors
and they should be able to log out immediately by just following the
/user/logout link. OK, so I changed it, since in this case the performed
action is nothing critical. At least that was what I thought. But then
something strange happened in Firefox.

I also use automatically generated link elements in my document's heads
to indicate related documents: home, search, index, up, previous and
next document and so on. Some browsers show these links as an additional
toolbar, which I find quite useful. Firefox takes it a step further and
already downloads the next document (if there is one) in the background.
The problem was: If the user was on his own profile page /user/profile,
the next document in order was /user/logout ... The nice page preload
function turned into an auto-logout.

Micha

• Next in forum: Re: HTTP POST from PHP using a link
• Prev in forum: Re: Cannot upload large files
• Thread view: Re: GET or POST method?

[Reply to this message]