Using GET to send message

[jaymc]

Im making a little live private chat system, I am not superp with javascript or ajax but I can use what i know to do this

 

To send a message to my server, I am using getelementbyid().value to pull out what ever they have typed in the <input field>

 

To send it to the server I am using ajax which will send something like this to a php file for parsing

 

parse.php?user=Jamie&message=What ever the have typed in the box is here&val=yes

 

 

That is working fine, I sent a message 1000 chars long and there was no hiccups

 

Is this ok? I mean its working..

 

 

Perhaps another way would be better? using POST with AJAX instead of GET.. although if both work..?

[Dragen]

I'd advise you to use pot. mainly because get would just make the url look very ugly. Also it's more secure.

I don't see why you're using any javascript as I'm sure you could do it all in php if it's just sending a form to a php script to execute.

[jaymc]

I would need to use meta refresh then

 

using Javascript means no page refresh

[cooldude832]

I'd advise you to use pot. mainly because get would just make the url look very ugly. Also it's more secure.

I don't see why you're using any javascript as I'm sure you could do it all in php if it's just sending a form to a php script to execute.

um what is pot?  secondly you don't see the action of an ajax script so that isn't a problem. Thirdly ajax is needed as its meant to be instant and alert them of a message, not be a refresh thing.  4thly  (if thats a word)  using get is dangerous as I could inject it by directly landing on your processing page (unless you protect it), however I don't know of any other way to handle this using ajax.

[Dragen]

um what is pot?

The first thing google thought of pot

 

anyway, I see your point about the refresh. I thought that with the form being sent to the php file it was refreshing anyway, so that wouldn't be a problem, but I was wrong.

 

Personally though I'd rather have a quick refresh, which you could do with headers instead of meta, instead of javascript due to some peoples lack of support for javascript (for one reason or another). But that's just my own preference.

[cooldude832]

support for javascript isn't an issue as it was a few years ago.  The myth that js was a virus highway cause of flaws in IE 6 made people fearful  of it, however now nearly ever major site uses it, and its  assumed your end user will function on your site with js.  If not they can have the same stuff happen, but it will take longer.  My thought was that the PM box would be similar to google chat.

[jaymc]

It has to be java, I dont really care about the over protective users who dont hava javascript etc

 

So in conclusion is it ok to use GET rather than POST?

 

As for the code injection.. whats to stop people from creating an external form and posting injections if I was to use POST rather than GET

[cooldude832]

exactly, but it takes more work, this has been a common topic lately, and no one has come up with a good system other than sessions

[GingerRobot]

In what way is get more insecure than post? Thats just rediculous - its simply a method for transferring data.

 

What does it matter if someone sends a request to your page? As long as they are logged in then they should be able to chat. You dont actually care where that comes from. If they really wanted to set up their own form to send data, then why the hell not? No-one could achieve anything useful by doing that, so its not a problem.

[cooldude832]

actually get is way more insecure regardless of loging in or not.  The fact is you can inject get via any browser, with post you need to know a bit more to do it.  Yes realtively they both can be cracked, but get is far more insecure.