PHP GET or POST security -


good morning. i'm taking exam later today on web development. pretty confident of exam, looking on past paper came across question:

b) developer decides use http get send user message message board system. explain potential security threats , discuss how overcome them. note should consider two situations:

  1. http must used.
  2. http changed. (15 marks)

i know post , get, i'm not sure able discuss in enough detail achieve 15 marks.

this attempt of me answering question, if suggestions can made in attempt direct me in correct direction, appreciated:

get insecure, if message private message data sensitive , therefore should not used unless added security included. display user message in url allowing view this, looking on shoulder etc. post nature more secure, not show message in url , instead adds http header, secure if http protocol secure , encryption should considered sensitive data.

if suggest written in response question, appreciated!

thanks

when talking security there several levels. using or post not live or dead type of choice, definitly usefull make distinction between two.

as name suggests, get ment retrieve information , post used send information. if keep in mind, it's not hard know method use.

in case user posting new message message board. post right answer. reason post more secure this, requires specific action user or javascript. cannot send link via email , directly make post new message. if use get send link http://www.example.com/postmessage.php?message=post%20me , if click it, post it.

now if message board secured username password, , logged in, have posted on behalve get request , nobody know wasnt realy you. potential security risk.

now if send mail link, still need click it. consider allowed post images on same message forum. post image myself <img src='/postmessage.php?message=post%20me' width='0' height='0'/> , every user visits post post message, since your/their browser tries get image , have again posted on behalf.

now if post javascript, make post request. posting javascript lot less common.

another side effect of get request searchengines spider , potentially create messages aswell.

and last: request limited. if want post large message, need post. see what maximum possible length of query string? lot of detail query string length. reach maximum get.

now these security issues cannot solved using post instead of get , require more effort on serverside code. first step use proper method.


Comments

Post a Comment

Popular posts from this blog

php - cannot display multiple markers in google maps v3 from traceroute result -

i'm newbie in php mysql , google maps v3. have problems in google maps v3. made traceroute web based , map traceroute's result in google maps v3 final project of college education. have try many tutorials didn't work. have tried tutorials in forum nothing worked. problem cannot display multiple markers got location data database. maybe because i'm newbie , not know how do. confuse looping show markers. here code <?php error_reporting(e_all ^ (e_notice)); ini_set('max_execution_time', 360); $enable_log_user = false; global $ip, $host_name, $host_ip; $host = @$_post['host']; $trace = @$_post['trace']; $self = $_server['php_self']; include("phpsqlajax_dbinfo.php"); $connection = mysql_connect ('127.0.0.1', $username, $password); if (!$connection) { die('not connected : ' . mysql_error());} $db_selected = mysql_select_db($database, $connection); if (!$db_selected) { die ('can\'t use db : ...
Read more

c# - DetailsView in ASP.Net - How to add another column on the side/add a control in each row? -

i have detailsview control on page used edit various fields of record, works in respect. i looking way add 1 column (and if works, why not more) right, absolutely read-only, show same fields of record comparison purposes. i aware there no obvious way such thing out of box detailsview . have looked other controls (transposed gridview , recommended formview , listview ), nothing satisfies. have special data binding setup using detailsview , can't out of without losing features. anyone on how "hack in" additional columns (for display only) on detailsview ? the solution have now, use second detailsview , visible set false in aspx. in code, make sure databind hidden detailsview hosts data third column first, initial detailsview named itemdetails . and in item created event, pass third column html rendering of hidden controls (in last code block) : protected void itemdetails_itemcreated(object sender, eventargs e) { if (dataite...
Read more

javascript - firefox memory leak -

i have following script (i use raphaeljs also) draws circle, waits 1 second, draws circle again, etc (you can copy paste - functional, need include raphael raphaeljs.com): <div id="holder"> </div> <script src="raphael.js" type="text/javascript"></script> <script> var paper = raphael(10, 50, 320, 200); var rad = math.pi / 180; var finangle = 0; function sector(cx, cy, r, startangle, endangle, params) { var x1 = cx + r * math.cos(-startangle * rad), x2 = cx + r * math.cos(-endangle * rad), y1 = cy + r * math.sin(-startangle * rad), y2 = cy + r * math.sin(-endangle * rad); return ["m", cx, cy, "l", x1, y1, "a", r, r, 0, +(endangle - startangle > 180), 0, x2, y2]; } var path = sector(100,100,50,0,180); var arc = paper.path(path); function draw() { path = sector(100,100,50,0,finangle); ...
Read more