Menu
With register_globals set to off, what is considered to be safer – submitting a form using GET or POST? What are the advantages and disadvantages?
Thanks!
also, you can modify the value of GET, so if you use it, never forget to verify the data and data format, (which you should do in both case anyway)[/QUOTE]You can modify the value of POST too. Data verification is just as important no matter where the data is supposed to be coming from.
the browser might freeze or info might get lost[/QUOTE]
You can modify the value of POST too. Data verification is just as important no matter where the data is supposed to be coming from.[/QUOTE]
They can't alter the form itself, unless they have access to the server itself[/QUOTE]You don't need access to the server to modify a form. All you need is microsoft notepad, installed on 99% of computers worldwide and if it is not installed there will be an equivalent.
You don't need access to the server to modify a form. All you need is microsoft notepad, installed on 99% of computers worldwide and if it is not installed there will be an equivalent.[/QUOTE]
I guess it could work as long as people are logged in...[/QUOTE]That's a joke, right? If somebody needed to be logged in to submit a form how would they ever get to log in the first place.
Hang on. As in, servers don't automatically prevent form submission from an url/adres other than the target domain?[/QUOTE]That show a fundamental missunderstanding of how the internet works. [B]All[/B] forms are submitted from the user's machine and not from the 'target domain'.
That's a joke, right? If somebody needed to be logged in to submit a form how would they ever get to log in the first place.[/QUOTE]
That show a fundamental missunderstanding of how the internet works. [B]All[/B] forms are submitted from the user's machine and not from the 'target domain'.[/QUOTE]
Okay then, let me 'refine' it for you a bit more:That has nothing to do with whether GET or POST is more secure.
It could work 'even on pages where sessions and cookies are required' as long as people are logged in... I don't give a darn about login and signupscreens and what ever scripts that don't demand a session or cookie for starters. Everybody (or at least most people) thoroughly check the values comming in from those anyway.[/QUOTE]
? You can detect the 'previous' url right? So if that 'url' doesn't start out with the domain name of the target domain, you can discriminate. I don't know the exact method, but I've been told Neopets.com uses it.[/QUOTE]No. Not reliably. That information is stripped out by many firewalls and ISPs (for privacy reasons) and can easily be spooffed. In fact there is an extension for Firefox for just this purpose. Again though this has nothing to do with whether GET or POST is more secure.
No. Not reliably. That information is stripped out by many firewalls and ISPs (for privacy reasons) and can easily be spooffed. In fact there is an extension for Firefox for just this purpose.[/QUOTE]
this will be my last post about it.[/QUOTE]Good idea! Up until now it would seem that you have modified your argument with every new post. If you stop making these ridiculous posts now less people will realise you haven't a clue what you are talking about.
I don't know how, and I'm not up to trying to investigate it, all I can say is, apparently there IS a way to discrimitate the source of the posted information by discriminating the urls.[/QUOTE]
$Post>$Get, the variable transferred by $Get are very easy to change.[/QUOTE]
0.1.9 — BETA 5.6