Why forms should not be provided using GET

Question

Why forms should not be provided using GET

I have a form that I submit with GET, which means the data is being added to the URL. The form is protected by a security token.

I've always been told that forms should be submitted using POST. In my case, what happens if the form was submitted using GET? What is a security risk?

+3

security post php get forms

sami Dec 12 '10 at 12:03

source share

4 answers

, URL

URL Length = protocol+domain+port+query_string (GET)

, .
:

+4

ajreal 12 . '10 12:46

, , . GET URL , POST . , , 12-15 , MD5, .

, GET Cross-Site Scripting Forgery, , , .

- script, , (POST GET), ... script , . , POST, , , ..

, . XSS (htmlentities), SQL- (mysql_real_escape_string) , (, html, , sql).

+3

cyber-guard 12 . '10 12:42

IMO POST - ( GET), .

A GET . , GET . GET , "", - - , ,...

GET , URL- (, , ) . GET.

+3

CodesInChaos 12 . '10 13:10

David Thomas · Accepted Answer · 2010-12-12T12:06:39+0000

The real risk is that users can see exactly which parameters are sent to your server, and can not only add bookmarks to this URL (for re-sending), but also change the URL to send other, potentially meaningless parameters to your server side script.

In some cases this is desirable (for example, Google uses GET so that it can be bookmarked), in others this can be a risk (for example, login forms).

In your own case, it depends on the nature of the "security token" and the potential harm if this token is visible (and changed) by users of your site / application. However, it is worth noting that this is also visible in the HTML source on the submit page, even if you use POST to submit the form.

, script, , SQL- .. (+1 @Switz).

Why forms should not be provided using GET

More articles: