Re: [PHP] Submitting as POST. Why?
On Fri, April 6, 2007 7:44 pm, Mike Shanley wrote: > With POST, everything stays hidden, mostly untamperable, and I must take exception to this statement... Step 1. Use your browser's "Save As..." menu to save the HTML FORM page to your hard drive. Step 2. Change any damn thing you want in the INPUT values, add some extra INPUT, take some away. Step 3. Open your hacked HTML page with your browser's "Open..." menu. Step 4. "Submit" the hacked FORM. In 4 trivial steps, which require no special browser plugins, no super-tricky knowledge, a casual visitor can break a [much too] large percentage of websites "out there" if they so desire. -- Some people have a "gift" link here. Know what I want? I want you to buy a CD from some indie artist. http://cdbaby.com/browse/from/lynch Yeah, I get a buck. So? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Submitting as POST. Why?
On Fri, April 6, 2007 7:35 pm, barophobia wrote: > I only know of one reason to submit a form as POST and that is because > you can submit more data in one shot. > > What other reasons are there? #1 If it "changes" anything [*] on the server it MUST be POST and not GET. If you don't grak this, put it this way: Assume that web-crawler spiders like Google WILL submit FORMs that use GET, and if you don't like that, don't use GET. #2 GET can be more limited in the amount of data it can send. POST can also be limited. Exact limits are server/browser/version specific, and HTTP specs also placed minimums on HTTP-compliant software, which also changed over time. #3 POST bookmarked form results are generally not usefully (or broken-ly) passed around from visitor to visitor. This can be "good" or "bad" depending on your needs. #4 Some consider a POST URL less ugly than a long GET URL. YMMV #5 Really really really dumb Bad Guys haven't figured out how trivial it is to send POST data to mess with your site, but have figured out how super-duper trivial it is to muck with the GET URL to mess with your site. This makes POST 0.01% "more secure" than GET, sort of... It weeds out the dumbest of the dumb Bad Guys. * "anything" does not include log files, stats, tracking etc, but rather the data behind the server. A more formal definition involving the word "immutable" (or was it some other high-falutin' word?) and fifty pages of legalese is available in the RFCs if you are bored enough to read them... -- Some people have a "gift" link here. Know what I want? I want you to buy a CD from some indie artist. http://cdbaby.com/browse/from/lynch Yeah, I get a buck. So? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Submitting as POST. Why?
On Sat, 2007-04-07 at 10:26 -0400, tedd wrote: > At 9:11 PM -0400 4/6/07, Robert Cummings wrote: > >On Fri, 2007-04-06 at 20:44 -0400, Mike Shanley wrote: > > > With POST, everything stays hidden, mostly untamperable, and > > > >Bullshit. It is VERY easy to tamper with post data. > > Please provide an example. All those spam bots that trawl the web making advertising posts on blogs, and forums. In almost every case they make a post. CURL is your friend. Cheers, Rob. -- .. | InterJinn Application Framework - http://www.interjinn.com | :: | An application and templating framework for PHP. Boasting | | a powerful, scalable system for accessing system services | | such as forms, properties, sessions, and caches. InterJinn | | also provides an extremely flexible architecture for | | creating re-usable components quickly and easily. | `' -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Submitting as POST. Why?
On Apr 7, 2007, at 9:26 AM, tedd wrote: At 9:11 PM -0400 4/6/07, Robert Cummings wrote: On Fri, 2007-04-06 at 20:44 -0400, Mike Shanley wrote: > With POST, everything stays hidden, mostly untamperable, and Bullshit. It is VERY easy to tamper with post data. Please provide an example. curl... the web developer extension to firefox... make a form on your computer that posts to another server (action=wherever_you_want_it_to_go method=post)... It's trivial to modify POST data... Ed -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Submitting as POST. Why?
At 4/7/2007 03:10 AM, Stut wrote: The difference between get and post is not what you *can* do, it's what you *should* do. Get, as the name implies, should be used when retrieving a page. The URL, including the query string, should contain info needed to retrieve the right page. No significant changes to either session or persistant data should be made in response to a get request. Post is used to send data to the server, and should be used when modifying something. That something could be 'the logged in user' (in the case of a login form), or 'a blog entry' (in the case of a blog entry editor form). Put more simply, get requests should not make significant changes to the data or state of your website, always use post requests for that. These implied "rules" have existed since HTTP was invented, and when you think about it they make a lot of sense. They also get emphasized by the existance of so-called web accelerators that simply pre-fetch URLs on the page the user is viewing. If you have simple links (i.e. get requests) that make changes to your websites data or state, the accelerator will seriously screw it up. Of course, in today's web, making a page request often modifies data on the server -- consider breadcrumb managers, search engine databases, Google analytics, web stats, page counters, page-generation processes, etc. And then there are the ubiquitous spiders (both friendly and unfriendly) that walk our sites all the time, exploring all the links. And spiders don't restrict themselves to following hyperlinks -- consider the spam robots that activate contact forms and forum engines. The moral of the story is: don't put get links OR post actions on your pages that result in automatic modification of significant data without thoughtful validation of incoming data. As always. Regards, Paul __ Paul Novitski Juniper Webcraft Ltd. http://juniperwebcraft.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Submitting as POST. Why?
At 9:11 PM -0400 4/6/07, Robert Cummings wrote: On Fri, 2007-04-06 at 20:44 -0400, Mike Shanley wrote: > With POST, everything stays hidden, mostly untamperable, and Bullshit. It is VERY easy to tamper with post data. Please provide an example. Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Submitting as POST. Why?
On Sat, 2007-04-07 at 13:59 +0100, Stut wrote: > Robert Cummings wrote: > > On Sat, 2007-04-07 at 11:10 +0100, Stut wrote: > >> These implied "rules" have existed since HTTP was invented, and when you > >> think about it they make a lot of sense. They also get emphasized by the > >> existance of so-called web accelerators that simply pre-fetch URLs on > >> the page the user is viewing. If you have simple links (i.e. get > >> requests) that make changes to your websites data or state, the > >> accelerator will seriously screw it up. > > > > "Accelerator" *lol*. This is a terrible waste of bandwidth. So the > > "accelerator" downloads 50 pages linking from the first page you hit and > > after spending 5 minutes reading the first page you decide not to visit > > any of the other links. Fast for the user maybe, but if everyone used > > this, it would be slower overall since the net would be plugged with 90% > > pointless requests. > > Indeed, I never said they were a good thing, just that we need to be > aware that they exist and how they work. Yep, wasn't pointing any fingies at you, was just a comment following your post for the greater audience :) Cheers, Rob. -- .. | InterJinn Application Framework - http://www.interjinn.com | :: | An application and templating framework for PHP. Boasting | | a powerful, scalable system for accessing system services | | such as forms, properties, sessions, and caches. InterJinn | | also provides an extremely flexible architecture for | | creating re-usable components quickly and easily. | `' -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Submitting as POST. Why?
Robert Cummings wrote: On Sat, 2007-04-07 at 11:10 +0100, Stut wrote: These implied "rules" have existed since HTTP was invented, and when you think about it they make a lot of sense. They also get emphasized by the existance of so-called web accelerators that simply pre-fetch URLs on the page the user is viewing. If you have simple links (i.e. get requests) that make changes to your websites data or state, the accelerator will seriously screw it up. "Accelerator" *lol*. This is a terrible waste of bandwidth. So the "accelerator" downloads 50 pages linking from the first page you hit and after spending 5 minutes reading the first page you decide not to visit any of the other links. Fast for the user maybe, but if everyone used this, it would be slower overall since the net would be plugged with 90% pointless requests. Indeed, I never said they were a good thing, just that we need to be aware that they exist and how they work. -Stut -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Submitting as POST. Why?
On Sat, 2007-04-07 at 11:10 +0100, Stut wrote: > > These implied "rules" have existed since HTTP was invented, and when you > think about it they make a lot of sense. They also get emphasized by the > existance of so-called web accelerators that simply pre-fetch URLs on > the page the user is viewing. If you have simple links (i.e. get > requests) that make changes to your websites data or state, the > accelerator will seriously screw it up. "Accelerator" *lol*. This is a terrible waste of bandwidth. So the "accelerator" downloads 50 pages linking from the first page you hit and after spending 5 minutes reading the first page you decide not to visit any of the other links. Fast for the user maybe, but if everyone used this, it would be slower overall since the net would be plugged with 90% pointless requests. Cheers, Rob. -- .. | InterJinn Application Framework - http://www.interjinn.com | :: | An application and templating framework for PHP. Boasting | | a powerful, scalable system for accessing system services | | such as forms, properties, sessions, and caches. InterJinn | | also provides an extremely flexible architecture for | | creating re-usable components quickly and easily. | `' -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Submitting as POST. Why?
Maybe this could help... GET http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html#sec9.3 POST http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html#sec9.5 URI http://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html#sec3.2.1 jm - Original Message - From: "barophobia" <[EMAIL PROTECTED]> To: "php-general" Sent: Saturday, April 07, 2007 2:35 AM Subject: [PHP] Submitting as POST. Why? My Peeps, I only know of one reason to submit a form as POST and that is because you can submit more data in one shot. What other reasons are there? Chris. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Submitting as POST. Why?
On Saturday 07 April 2007 05:56, Paul Novitski wrote: > >barophobia wrote: > >>I only know of one reason to submit a form as POST and that is because > >>you can submit more data in one shot. > > At 4/6/2007 05:44 PM, Mike Shanley wrote: > >When you submit via GET, all the info shows up in the URL, so people > >can tamper with it however they like. Also, people can bookmark it as > > well. > > In fact that very tamperability is one of the advantages of GET. For > certain types of service it can be a boon to the user to be able to > tweak the querystring. It enables even mildly technically-oriented > people to roll their own queries for search engines, map engines, > online resource guides, catalogs, etc. > > When I deliberately expose the communication channel between a form > and a lookup engine like that, I try to choose querystring parameter > names that are simple and easy to remember such as isbn, author, and title. > > Obviously you have to make sure someone can't hack your system > through the querystring, but you should already be doing this anyway > whether you're using POST or GET. > GET leaves someone with an option to easily make a frontend... take ktorrent feks. This little bugger contains some khtml code and a search box, and withing this search box you can add torrent tracker sites. Imho easily downloadable and consistent when it comes to searching (well it shows the complete site inside then browserwindow, but you don't go looking for the search form box.) > Regards, > > Paul > __ > > Paul Novitski > Juniper Webcraft Ltd. > http://juniperwebcraft.com -- --- Børge http://www.arivene.net --- -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Submitting as POST. Why?
barophobia wrote: I only know of one reason to submit a form as POST and that is because you can submit more data in one shot. What other reasons are there? The difference between get and post is not what you *can* do, it's what you *should* do. Get, as the name implies, should be used when retrieving a page. The URL, including the query string, should contain info needed to retrieve the right page. No significant changes to either session or persistant data should be made in response to a get request. Post is used to send data to the server, and should be used when modifying something. That something could be 'the logged in user' (in the case of a login form), or 'a blog entry' (in the case of a blog entry editor form). Put more simply, get requests should not make significant changes to the data or state of your website, always use post requests for that. These implied "rules" have existed since HTTP was invented, and when you think about it they make a lot of sense. They also get emphasized by the existance of so-called web accelerators that simply pre-fetch URLs on the page the user is viewing. If you have simple links (i.e. get requests) that make changes to your websites data or state, the accelerator will seriously screw it up. As an illustration, consider a blog editing app. You log in and view a list of entries in your blog. Each one has edit and delete links next to them. These are plain URLs. The delete link uses javascript to ask the user for confirmation. The accelerator happily goes through these links, helpfully pre-fetching them for you. This is fine for the edit links, but the delete links cause the website to delete your entire blog. Oops. Hope that's made it clear. -Stut -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Submitting as POST. Why?
On 4/7/07, Paul Novitski <[EMAIL PROTECTED]> wrote: >barophobia wrote: >>I only know of one reason to submit a form as POST and that is because >>you can submit more data in one shot. At 4/6/2007 05:44 PM, Mike Shanley wrote: >When you submit via GET, all the info shows up in the URL, so people >can tamper with it however they like. Also, people can bookmark it as well. In fact that very tamperability is one of the advantages of GET. For certain types of service it can be a boon to the user to be able to tweak the querystring. It enables even mildly technically-oriented people to roll their own queries for search engines, map engines, online resource guides, catalogs, etc. When I deliberately expose the communication channel between a form and a lookup engine like that, I try to choose querystring parameter names that are simple and easy to remember such as isbn, author, and title. Obviously you have to make sure someone can't hack your system through the querystring, but you should already be doing this anyway whether you're using POST or GET. Regards, Paul Good point, It's nice if search machine's are using GET, as you could make a script to search in their search machine by just going to an url like http://www.google.com/search?q=, instead of making a form. Tijnema -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Submitting as POST. Why?
barophobia wrote: I only know of one reason to submit a form as POST and that is because you can submit more data in one shot. At 4/6/2007 05:44 PM, Mike Shanley wrote: When you submit via GET, all the info shows up in the URL, so people can tamper with it however they like. Also, people can bookmark it as well. In fact that very tamperability is one of the advantages of GET. For certain types of service it can be a boon to the user to be able to tweak the querystring. It enables even mildly technically-oriented people to roll their own queries for search engines, map engines, online resource guides, catalogs, etc. When I deliberately expose the communication channel between a form and a lookup engine like that, I try to choose querystring parameter names that are simple and easy to remember such as isbn, author, and title. Obviously you have to make sure someone can't hack your system through the querystring, but you should already be doing this anyway whether you're using POST or GET. Regards, Paul __ Paul Novitski Juniper Webcraft Ltd. http://juniperwebcraft.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Submitting as POST. Why?
On Fri, 2007-04-06 at 20:44 -0400, Mike Shanley wrote: > Chris, > > When you submit via GET, all the info shows up in the URL, so people can > tamper with it however they like. Also, people can bookmark it as well. Quite true. > With POST, everything stays hidden, mostly untamperable, and Bullshit. It is VERY easy to tamper with post data. > unbookmarkable. POST might sound clearly better, but unless it's > important that people don't change anything, then go with GET. I go with POST almost exclusively when doing forms. I do so because my form engine embeds various information (non-security sensitive information) for the form. It works using get also, but it's ugly having stuff like that in the URL. Additionally, for longer forms, there's a limit to which browsers must adhere to acknowledge. I believe browsers are only required to process 1024 bytes from a URL. Obviously some browsers will process more, but now you're counting on a non-standard feature. For the most part, if there's stuff in the URL parameters, then they came from a link or a redirect. Cheers, Rob. -- .. | InterJinn Application Framework - http://www.interjinn.com | :: | An application and templating framework for PHP. Boasting | | a powerful, scalable system for accessing system services | | such as forms, properties, sessions, and caches. InterJinn | | also provides an extremely flexible architecture for | | creating re-usable components quickly and easily. | `' -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Submitting as POST. Why?
Chris, When you submit via GET, all the info shows up in the URL, so people can tamper with it however they like. Also, people can bookmark it as well. With POST, everything stays hidden, mostly untamperable, and unbookmarkable. POST might sound clearly better, but unless it's important that people don't change anything, then go with GET. barophobia wrote: My Peeps, I only know of one reason to submit a form as POST and that is because you can submit more data in one shot. What other reasons are there? Chris. -- Mike Shanley ~you are almost there~ "A new eye opens on March 5." -Omniversalism.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Submitting as POST. Why?
barophobia wrote: > My Peeps, > > I only know of one reason to submit a form as POST and that is because > you can submit more data in one shot. > > > What other reasons are there? upload a file? not have bag of cruft in the url/addressbar? because POST and GET are semantically different ... POST assumes that the submission may have side effects (e.g. registration, send a email, update a page) GET assumes no such thing, you merely 'get' a page from the server. > > > > Chris. > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php