"Dennis Mllegaard P" wrote:
On 2004-08-14, NotGiven <no****@nonegiven.net> wrote: I remember reading long ago something about the it was easier to hack a GET than a POST.
Is that true? If so, can it be overcome?
Its easier to change a url, than getting your browser/client to
post other data. But POST is still as "secure" as GET. Dont ever
trusth the data from clients - make sure you validate, dont assume that you
are getting what you expect.
The reason I ask is that I want the user to be able to click the
BACK button in the browser and go back to a search RESULTS page without
getting a page expired error.
Use GET
And read up on "sql injection" attacks (use your favorite search
engine). As indicated, validate input. e.g. if you expert $_GET[’a’]
to be integer, then do
$a = intval($_GET[’a’]);
it is also advised to email yourself a message if the above match does
not occur. Some hacker may be "probing" your system.
On the positive side, most hackers go after established scripts
(phpnuke, phpbb, etc.) which are the same from one implementation to
another. I don’t think they bother with custom implementation sites,
unless they are determined, or the site is very popular (at which
time, one can afford to fix things up).
And you would never be 100% sure that things are secure, so frequent
backs are advised.
--
http://www.dbForumz.com/ This article was posted by author's request
Articles individually checked for conformance to usenet standards
Topic URL:
http://www.dbForumz.com/PHP-security...ict139663.html
Visit Topic URL to contact author (reg. req'd). Report abuse:
http://www.dbForumz.com/eform.php?p=467179