Jump to content

Archived

This topic is now archived and is closed to further replies.

matfish

POST or GET?

Recommended Posts

Hi,

Im trying to tighten up security on a login system and invoices.

Using GET, a user can type in crap in the address bar and maybe spoof an id that displays someone elses invoice.

If using POST - is this still possible? Can you spoof it and accidently bring up an invoice (for example) if it only requires an invoice number?

Many thanks

Share this post


Link to post
Share on other sites
everything is sent by headers - you can manipulate these headers to you own ends.

Some body may even be so determined as to save the source code of your page, alter it a little and use that to send the request.

There isn't much you can do to stop then trying - its what you do to stop them succedding that counts.  The main worry is probably mysql injection - so on fields where that info is used in a query use mysql_escape_real_string to remove any potential injection attacks.

Share this post


Link to post
Share on other sites
Whats an injection attack?

How is it done / stopped?

Many thanks - doing a bit of googling about it now...

Share this post


Link to post
Share on other sites

×

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.