Jump to content


Photo

POST or GET?


  • Please log in to reply
2 replies to this topic

#1 matfish

matfish
  • Members
  • PipPipPip
  • Advanced Member
  • 242 posts
  • LocationUK

Posted 18 September 2006 - 02:57 PM

Hi,

Im trying to tighten up security on a login system and invoices.

Using GET, a user can type in crap in the address bar and maybe spoof an id that displays someone elses invoice.

If using POST - is this still possible? Can you spoof it and accidently bring up an invoice (for example) if it only requires an invoice number?

Many thanks

#2 ToonMariner

ToonMariner
  • Members
  • PipPipPip
  • Advanced Member
  • 3,342 posts
  • LocationNewcastle upon Tyne, UK

Posted 18 September 2006 - 03:09 PM

everything is sent by headers - you can manipulate these headers to you own ends.

Some body may even be so determined as to save the source code of your page, alter it a little and use that to send the request.

There isn't much you can do to stop then trying - its what you do to stop them succedding that counts.  The main worry is probably mysql injection - so on fields where that info is used in a query use mysql_escape_real_string to remove any potential injection attacks.
follow me on twitter @PHPsycho

#3 matfish

matfish
  • Members
  • PipPipPip
  • Advanced Member
  • 242 posts
  • LocationUK

Posted 18 September 2006 - 03:12 PM

Whats an injection attack?

How is it done / stopped?

Many thanks - doing a bit of googling about it now...




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users