[pLog-svn] Re: AdminLoginAction

Oscar Renalias oscar at renalias.net
Wed Mar 22 14:00:15 GMT 2006 

from a security point of view, a POST request is as easy to forge as  
a GET one. You may need to use a tool like curl or wget, but it's easy.

Other than that, I don't understand your comment. We have a  
validation system in place that validates data (regardless of where  
it came from) so pretty well covered in there.

Oscar

On 22 Mar 2006, at 14:48, soosa soosa wrote:

> theres a role in PHP world that says :" TRY ALWAYS TO HIDE YOUR  
> DATA AS MUCH AS POSSIBLE !!! ", actually its not the matter of  
> disallowing the user to see his data moving from place to place  
> using the http request, hiding the posted data in the body of the  
> http is just much more secure than sending them in the header of  
> the http, you know what, i really cannot remember the last time  
> that i have used the $_GET super global array !!!, it doesn't make  
> sense to use it because simply you are giving everybody the ability  
> to "SEE" what you are posting, and even if the data was really not  
> that important it still should be considered something precious and  
> need to be secured, $_POST is just "and might be the only !!" way  
> to use to forward your data and let it swim from sea to sea with  
> less worrying :-)
>
>
> God Save Open Source ;-)
>
> soosa
>
>
> On 3/22/06, Jon Daley <plogworld at jon.limedaley.com> wrote: On Tue,  
> 21 Mar 2006, Jesse Peterson wrote:
> >> It doesn't matter, does it? There can't be both of them in the same
> >> request :-)
> >
> > Sure there can.  You can send a send an HTTP POST to a URL like:
> > http://example.com/example.php?myparam=value.  In raw PHP you  
> grab the
> > URL param from $_GET and the POST param from $_POST.
> >
> > Unless I'm completely wrong - which wouldn't surprise me :).
>
>         You (Jesse) are correct.  When I code stuff I put the POST in
> higher precedence above the GET, because POSTs are a little harder to
> hack.
>         Here is a function I use all the time, and then never  
> access $_GET
> or $_SERVER, etc. directly.
>
>
> function getHttpVar($type, $name, $default){
>      if($type == "GET"){
>          if(isset($_GET[$name])){
>              return jd_escape_string($_GET[$name]);
>          }
>      }
>      else if($type == "POST"){
>          if(isset($_POST[$name]))
>              return jd_escape_string($_POST[$name]);
>      }
>      else if($type == "EITHER"){
>          if(isset($_POST[$name])){
>              return jd_escape_string($_POST[$name]);
>          }
>          else if(isset($_GET[$name])){
>              return jd_escape_string($_GET[$name]);
>          }
>      }
>      return $default;
> }
>
> _______________________________________________
> pLog-svn mailing list
> pLog-svn at devel.lifetype.net
> http://devel.lifetype.net/mailman/listinfo/plog-svn
>
> _______________________________________________
> pLog-svn mailing list
> pLog-svn at devel.lifetype.net
> http://devel.lifetype.net/mailman/listinfo/plog-svn

More information about the pLog-svn mailing list