[pLog-svn] Re: AdminLoginAction
Oscar Renalias
oscar at renalias.net
Wed Mar 22 14:00:15 GMT 2006
from a security point of view, a POST request is as easy to forge as
a GET one. You may need to use a tool like curl or wget, but it's easy.
Other than that, I don't understand your comment. We have a
validation system in place that validates data (regardless of where
it came from) so pretty well covered in there.
Oscar
On 22 Mar 2006, at 14:48, soosa soosa wrote:
> theres a role in PHP world that says :" TRY ALWAYS TO HIDE YOUR
> DATA AS MUCH AS POSSIBLE !!! ", actually its not the matter of
> disallowing the user to see his data moving from place to place
> using the http request, hiding the posted data in the body of the
> http is just much more secure than sending them in the header of
> the http, you know what, i really cannot remember the last time
> that i have used the $_GET super global array !!!, it doesn't make
> sense to use it because simply you are giving everybody the ability
> to "SEE" what you are posting, and even if the data was really not
> that important it still should be considered something precious and
> need to be secured, $_POST is just "and might be the only !!" way
> to use to forward your data and let it swim from sea to sea with
> less worrying :-)
>
>
> God Save Open Source ;-)
>
> soosa
>
>
> On 3/22/06, Jon Daley <plogworld at jon.limedaley.com> wrote: On Tue,
> 21 Mar 2006, Jesse Peterson wrote:
> >> It doesn't matter, does it? There can't be both of them in the same
> >> request :-)
> >
> > Sure there can. You can send a send an HTTP POST to a URL like:
> > http://example.com/example.php?myparam=value. In raw PHP you
> grab the
> > URL param from $_GET and the POST param from $_POST.
> >
> > Unless I'm completely wrong - which wouldn't surprise me :).
>
> You (Jesse) are correct. When I code stuff I put the POST in
> higher precedence above the GET, because POSTs are a little harder to
> hack.
> Here is a function I use all the time, and then never
> access $_GET
> or $_SERVER, etc. directly.
>
>
> function getHttpVar($type, $name, $default){
> if($type == "GET"){
> if(isset($_GET[$name])){
> return jd_escape_string($_GET[$name]);
> }
> }
> else if($type == "POST"){
> if(isset($_POST[$name]))
> return jd_escape_string($_POST[$name]);
> }
> else if($type == "EITHER"){
> if(isset($_POST[$name])){
> return jd_escape_string($_POST[$name]);
> }
> else if(isset($_GET[$name])){
> return jd_escape_string($_GET[$name]);
> }
> }
> return $default;
> }
>
> _______________________________________________
> pLog-svn mailing list
> pLog-svn at devel.lifetype.net
> http://devel.lifetype.net/mailman/listinfo/plog-svn
>
> _______________________________________________
> pLog-svn mailing list
> pLog-svn at devel.lifetype.net
> http://devel.lifetype.net/mailman/listinfo/plog-svn
More information about the pLog-svn
mailing list