Jump to content

POST or GET?


matfish

Recommended Posts

Hi,

Im trying to tighten up security on a login system and invoices.

Using GET, a user can type in crap in the address bar and maybe spoof an id that displays someone elses invoice.

If using POST - is this still possible? Can you spoof it and accidently bring up an invoice (for example) if it only requires an invoice number?

Many thanks
Link to comment
https://forums.phpfreaks.com/topic/21156-post-or-get/
Share on other sites

everything is sent by headers - you can manipulate these headers to you own ends.

Some body may even be so determined as to save the source code of your page, alter it a little and use that to send the request.

There isn't much you can do to stop then trying - its what you do to stop them succedding that counts.  The main worry is probably mysql injection - so on fields where that info is used in a query use mysql_escape_real_string to remove any potential injection attacks.
Link to comment
https://forums.phpfreaks.com/topic/21156-post-or-get/#findComment-93997
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.