--- Burhan Khalid <[EMAIL PROTECTED]> wrote: > Most of the stuff was common sense to me (and I was glad I > was doing those things unconsciously).
That's good to hear. :-) Most of the people that have heard me give this talk (which is a few hundred now) have realized several vulnerabilities in their current applications, bad development habits, etc. I actually get tired of giving the same (or very similar) talks, but I'll keep giving this one as long as it keeps surprising a lot of the audience. The fewer excuses we give people to equate PHP with poor security, the better off we'll all be. > However, I do have issue with one paragraph: > > Page 29, > > * Using POST rather than GET in forms. > > "Specify POST in the method attribute of your forms. Of course, this > isn't appropriate fot all your forms, but it is appropriate when a form > is performing an action, such as buying stocks. In fact, the HTTP > specification requires that GET be considered safe." > > Don't you mean "In fact, the HTTP specification requires that POST be > considered safe?" Didn't make sense to me when I read it last night. Nope, it's correct as written. Perhaps it just needs to be rephrased, or maybe I need to elaborate about what "safe" means in this context. The piece of the HTTP specification I'm referring to is within section 9.1.1 of RFC 2616, entitled "Safe Methods," and it has the following to say: "In particular, the convention has been established that the GET and HEAD methods SHOULD NOT have the significance of taking an action other than retrieval. These methods ought to be considered "safe". This allows user agents to represent other methods, such as POST, PUT and DELETE, in a special way, so that the user is made aware of the fact that a possibly unsafe action is being requested." Thus, as developers, we should never perform an action when the request method is GET. This means that forms intended to perform actions such as buying stocks should specify the POST method, and we should also not rely on register_globals or $_REQUEST, because both of these hide whether the data we are using was sent in a GET request or a POST request. Specify POST, and use $_POST. Hope that clarifies what I mean a bit. Of course, I elaborate more in the actual talk; this was just the workbook for people to reference and take home to help remember the points. I just decided to give it away, since I had put so much work into it. :-) But, I'm always looking for improvements. I'll try to add a bit of clarification in there somehow. Thanks for the feedback. Chris ===== Chris Shiflett - http://shiflett.org/ PHP Security - O'Reilly Coming Fall 2004 HTTP Developer's Handbook - Sams http://httphandbook.org/ PHP Community Site http://phpcommunity.org/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
