POST OR GET

[menelaus8888]

i know how to use both but i used POST. is there any difference between the both in terms of security or anything? what are the advantages or maybe disadvantage of using POST instead of GET or vice versa.

[pocobueno1388]

If your using GET, just make sure your not passing any personal information as it will show up in the URL. Always check to make sure the values are as expected, with both. Other than that, use whichever one suits the situation...just be aware of the data being passed.

[.josh]

Both of them have an inherent risk.  It's easier to spoof GET vars because it's passed right there in the url bar.  It's *harder* to spoof POST vars because they are not.  But it's not that much harder, as it's really easy for someone to just tamper with your form and click the submit button.  You can rightclick > view source, copy/paste into an editor, add/change whatever you want in the form, load it up in the browser, and click the submit button.  Or better yet, most browsers these days have plenty of addons to do that right on the page "live," taking out even those simple steps.

 

The point is, rather than trusting either, trust neither.  Always assume that any incoming data is a potential threat, and sanitize accordingly.  If you are expecting the input to be a set thing like a number, check to make sure it's a number, and if it's in the expected range.  use mysql_real_escape_string on data going into your database.  If you have for instance a controller to load a page inside your main page (like a tabbed menu), or like a table of data for the user to order results by, don't just blindly sortby the variable or include the variable.  Put the allowed values in an array and check if it's in the array.  And the list goes on.

[realjumper]

You're not going to move this to the HTML forum???

[.josh]

Well technically since he's asking about security in general, it could possibly go to the application design/layout forum.  But this is where we practice that leniency you suggested.  Look man, don't be sore just because your thread got moved.  It was moved to the sql forum because that's where you stand to get the most help.  Despite your beliefs, questions there do get answered very often; we have several people who answer questions there very well. In fact, they are some of the top posters here, having well over 10k posts in answering questions.  Just be patient, and stop trying to make a stink in other people's threads.

[realjumper]

Crayon, I'm not sore, and it wasn't my thread. I just agree, up to a point, with kempler that posts here (of late) seem to get moved a the drop of a hat because they _may_ be slightly off topic.

 

All I am saying is that most mysql questions asked here relate to a php written query, which will be used in a php application.....therefore, for the good of the op and other readers, such posts should remain here. That's how we learn.

 

I respect you and your obvious skills in these languages, but please be a little more flexible and look at the bigger picture. If you and the other moderators want posts to be absolutely and strictly in their proper place, this excellent group of forums will become a mess, and that would be such a damn shame.

[.josh]

No...if we were to just put everything in one forum, THEN it would be an absolute mess. THAT'S the bigger picture.  Please refer to my grocery store produce section analogy in the comments forum you posted in. 

[realjumper]

No...if we were to just put everything in one forum, THEN it would be an absolute mess. THAT'S the bigger picture.  Please refer to my grocery store produce section analogy in the comments forum you posted in. 

 

I have....I now refer you to that thread

[MasterACE14]

You're not going to move this to the HTML forum???

 

This question could really go in quite a few sub forums here. Does it really matter if he posted a HTML related question in the PHP Help Forum if the question is more or less related to PHP to secure the GET and/or POST's anyway.