|
Posted by Richard Lynch on 03/03/05 20:14
Jochem Maas wrote:
> Gareth Williams wrote:
>>
>> Wouldn't using GET instead of POST help?
>
> in a way it could - but you don't usually want to use a GET as this
> can be easily spoofed (i.e. anyone could send you a link or post one in a
> forum
> that would do the post action without warning you)
>
> which comes down to: you should be 'certified' if you use GET to allow
> users to submit a payment confirmation - you only want a FORM to be able
> to
> submit such a confirmation rather than allowing any old link to issue such
> a
> confirmation....
>
> for a much better description on why using GET is 'bad' in this kind of
> situation
> I refer you to posts made by Richard Lynch (I think??) in the last 6 weeks
> (can't remember the
> subject Im afraid)
Gah!
I'm actually the one who said you should *NOT* fool yourself that POST is
any "more secure" than GET.
Only the dumbest of the dumb can't figure out how to save an HTML form and
modify it to POST whatever they want to your script.
Choosing POST over GET should be a matter of aesthetics, not security.
I have many scripts that will behave "the same" with GET or POST input.
Or, more correctly, would do the same thing if you were trying to spoof
them with GET/POST input.
The most common example is to view/edit a record in the database, I often
use a link with GET to get to the edit page, and that has a FORM (POST) to
the same page to update the record.
I'll use REQUEST all over, and if somebody manages to break in and wants
to use GET instead of POST to hack it, I don't see a hell of a lot of
difference.
If they're smart enough to get past the authentication, they're sure as
hell smart enough to do a forged POST. [shrug]
GET is only "easier" to spoof that POST if you're comparing really really
really stupid people with really really stupid people...
--
Like Music?
http://l-i-e.com/artists.htm
Navigation:
[Reply to this message]
|