Jochem Maas <mailto:[EMAIL PROTECTED]> on Thursday, March 03, 2005 5:57 AM said:
> Gareth Williams wrote: >> >> Wouldn't using GET instead of POST help? > > in a way it could - but you don't usually want to use a GET as this > can be easily spoofed (i.e. anyone could send you a link or post one > in a forum that would do the post action without warning you) > > which comes down to: you should be 'certified' if you use GET to allow > users to submit a payment confirmation - you only want a FORM to be > able to submit such a confirmation rather than allowing any old link > to issue such a confirmation.... POST can be easily spoofed as well. I can recreate the form found on your site on my own server and submit my data that way. I can also submit POST by constructing my own headers in PHP (or just about any other language for that matter). In both of those cases the data was submitted in a way unexpected by the site author. POST is not a security measure. I think what's special about POST is that it is meant to hold a lot more data. With GET there is a limit to how long the querystring can be. Chris. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
