Menu
▾
▴
RE: [binarycloud-dev] Battle Royal - GET versus POST
|
From: Andreas A. <a.a...@th...> - 2001-07-02 14:01:08
|
Hi Alby, Justin,
> I am one of those lazy coders, but I can't stand using GET but often do to
> ensure the integrity of my variable names and values. This has been a
thorn
> in my side and I would like a method to handle this insecurity as well.
> My initial thought would be to include a debug option to globally echo all
> post varnames and values to the page. This is not a holistic solution
> however as I am often using servlet like pages that only include code and
> call a header ("Location: snafu.php"); when my logic is done.
> Anyone have any other ideas/problems to contribute to this?
I'm with you. I don't like GET vars very much because they mess up the
Location-Input-Line. In fact that's just an aesthetic concern. What the
security concerns GET vars are not more dangerous than POST vars, except
that the bad guy does not have to view the html source and start his attack.
So it does not matter if post or get (imho), everything coming from the
outside is a potential security risk and therefore it should be carefully
doublechecked twice. I don't want to use forms for each and every operation.
If such high security is required and checking the incoming is not enough -
maybe SSL is an option.
Sometimes GET is really useful. If you have a list of db results you want to
display, for example. E.g. I would use the GET var for the "delete"
operation. To avoid using forms and maybe image buttons for every row (of
course with a "are you sure" question).
Or for switchting languages. Or for the sessionId if cookies are disabled. I
personally don't rely that users do have cookies enabled.
Have a look over the request class (in core). There is also a newer version
available as soon as alex makes the cvs synch.
Andi
|
