security risks with using GET instead of POST?

Re: security risks with using GET instead of POST?

On 2004-08-14, NotGiven <noname@nonegiv en.net> wrote:[color=blue]
> I remember reading long ago something about the it was easier to hack a GET
> than a POST.
> Is that true? If so, can it be overcome?[/color]

Its easier to change a url, than getting your browser/client to post
other data. But POST is still as "secure" as GET. Dont ever trusth the
data from clients - make sure you validate, dont assume that you are
getting what you expect.
[color=blue]
> The reason I ask is that I want the user to be able to click the BACK button
> in the browser and go back to a search RESULTS page without getting a page
> expired error.[/color]

Use GET :)

--
Dennis Møllegaard Pedersen, Denmark
replace spam with my firstname spam@moellegaar d.dk
PGP fingerprint = 5A23 2E7D 7F4F 7FBE 39AC CDEF 55A0 FF70 87C0 59D9

Re: security risks with using GET instead of POST?

NotGiven wrote:
[color=blue]
> I want the user to be able to click the BACK button in the browser
> and go back to a search RESULTS page without getting a page expired
> error.[/color]

This sounds idempotent to me. You can read about this in rfc 2616, or
for something a bit more readable, try this:



If it is idempotent, use GET. (And note what Dennis Pedersen [1] said
about security.

[1] I can't make that character in my newseader -- at least, I don't
know how -- so I've left your middle name out. :-)

--
Brian (remove ".invalid" to email me)

Re: Re: security risks with using GET instead of POST?

"Dennis Mllegaard P" wrote:[color=blue]
> On 2004-08-14, NotGiven <noname@nonegiv en.net> wrote:[color=green]
> > I remember reading long ago something about the it was easier to[/color]
> hack a GET[color=green]
> > than a POST.
> > Is that true? If so, can it be overcome?[/color]
>
> Its easier to change a url, than getting your browser/client to[/color]
post[color=blue]
> other data. But POST is still as "secure" as GET. Dont ever[/color]
trusth the[color=blue]
> data from clients - make sure you validate, dont assume that you[/color]
are[color=blue]
> getting what you expect.
>[color=green]
> > The reason I ask is that I want the user to be able to click the[/color]
> BACK button[color=green]
> > in the browser and go back to a search RESULTS page without[/color]
> getting a page[color=green]
> > expired error.[/color]
>
> Use GET
>[/color]

And read up on "sql injection" attacks (use your favorite search
engine). As indicated, validate input. e.g. if you expert $_GET[’a’]
to be integer, then do

$a = intval($_GET[’a’]);
it is also advised to email yourself a message if the above match does
not occur. Some hacker may be "probing" your system.

On the positive side, most hackers go after established scripts
(phpnuke, phpbb, etc.) which are the same from one implementation to
another. I don’t think they bother with custom implementation sites,
unless they are determined, or the site is very popular (at which
time, one can afford to fix things up).

And you would never be 100% sure that things are secure, so frequent
backs are advised.

--
http://www.dbForumz.com/ This article was posted by author's request
Articles individually checked for conformance to usenet standards
Topic URL: http://www.dbForumz.com/PHP-security...ict139663.html
Visit Topic URL to contact author (reg. req'd). Report abuse: http://www.dbForumz.com/eform.php?p=467179