You are here: Re: [PHP] Preventing data from being reposted? « PHP « IT news, forums, messages
Re: [PHP] Preventing data from being reposted?

Posted by Richard Lynch on 03/03/05 20:14

Jochem Maas wrote:
> Gareth Williams wrote:
>>
>> Wouldn't using GET instead of POST help?
>
> in a way it could - but you don't usually want to use a GET as this
> can be easily spoofed (i.e. anyone could send you a link or post one in a
> forum
> that would do the post action without warning you)
>
> which comes down to: you should be 'certified' if you use GET to allow
> users to submit a payment confirmation - you only want a FORM to be able
> to
> submit such a confirmation rather than allowing any old link to issue such
> a
> confirmation....
>
> for a much better description on why using GET is 'bad' in this kind of
> situation
> I refer you to posts made by Richard Lynch (I think??) in the last 6 weeks
> (can't remember the
> subject Im afraid)

Gah!

I'm actually the one who said you should *NOT* fool yourself that POST is
any "more secure" than GET.

Only the dumbest of the dumb can't figure out how to save an HTML form and
modify it to POST whatever they want to your script.

Choosing POST over GET should be a matter of aesthetics, not security.

I have many scripts that will behave "the same" with GET or POST input.

Or, more correctly, would do the same thing if you were trying to spoof
them with GET/POST input.

The most common example is to view/edit a record in the database, I often
use a link with GET to get to the edit page, and that has a FORM (POST) to
the same page to update the record.

I'll use REQUEST all over, and if somebody manages to break in and wants
to use GET instead of POST to hack it, I don't see a hell of a lot of
difference.

If they're smart enough to get past the authentication, they're sure as
hell smart enough to do a forged POST. [shrug]

GET is only "easier" to spoof that POST if you're comparing really really
really stupid people with really really stupid people...

--
Like Music?
http://l-i-e.com/artists.htm

 

Navigation:

[Reply to this message]


Удаленная работа для программистов  •  Как заработать на Google AdSense  •  England, UK  •  статьи на английском  •  PHP MySQL CMS Apache Oscommerce  •  Online Business Knowledge Base  •  DVD MP3 AVI MP4 players codecs conversion help
Home  •  Search  •  Site Map  •  Set as Homepage  •  Add to Favourites

Copyright © 2005-2006 Powered by Custom PHP Programming

Сайт изготовлен в Студии Валентина Петручека
изготовление и поддержка веб-сайтов, разработка программного обеспечения, поисковая оптимизация