PHP from POST method like GET

Question

Possible Duplicate:
Back button re-submit form data ($_POST)

I know that for security reasons it is better to use POST method than GET. Anyway, if you have several web pages and you wanna navigate between them, if you USE POST method your browser will re-submit data of the prevoious form if you press te BACK or FORWARD button. There is a way to use POST method BUT let the user navigate between previous or next page without resubmit data? I do not know if

score 2 · Answer 1 · edited May 23 '17 at 12:11

2

There is no security difference between POST and GET. If you do not want to have the resubmitting problem. You should follow the Redirect-After-Post pattern.

Edit:

For all the guys seeing a difference in terms of security.

You can sniff either of those via Man in the middle in plain text(while not having https)
You can resend both requests
You can invent security tokens for both methods
The only difference is that POST does not expose information by the URL identifier. But an attacker will always check also sourcecode.

Having POST to insert data in databases etc. is not because of Security. It is because of the widely used REST paradigma. But the REST paradigma is not a MUST while developing a web application. It is like any standard you may follow its guidelines or you leave it alone.

There is btw also a nice post on the exact same topic with the same findings: Is either GET or POST more secure than the other?

edited May 23 '17 at 12:11

Community

1
1

answered Jul 18 '11 at 15:40

fyr

20,227
7
37
53

1

There **is** security difference. Try creating login form with `action='get'` without so called `redirect-after-post` pattern (which is usually called [PRG or Post/Redirect/Get](http://en.wikipedia.org/wiki/Post/Redirect/Get)). – binaryLV Jul 18 '11 at 15:43
I want to upvote and downvote this. There is a security difference: database writes should be made only as a result of `POST`, not `GET`. But I want to upvote for `POST Redirect GET`. – TRiG Jul 18 '11 at 15:44
You know that the redirect is invoked by the client side ? You know that POST has also the replay weakness like GET ? – fyr Jul 18 '11 at 15:46
@TRiG, database writes may occur in GET requests too. Database writes do not necessarily mean editing some main object of system. Security issues come from the fact that GET requests use URL to pass data around, and URLs are usually saved in browser's URL history/cache. E.g., passing user's e-mail and/or password via GET request would be nonsense (from a security point of view). – binaryLV Jul 18 '11 at 15:48
@binaryLV. Safe writes such as logging are okay, but editing content is not recommended on `GET`. – TRiG Jul 18 '11 at 17:03
@TRIG: you mean because browsers may support only 4k byte in the request ? – fyr Jul 18 '11 at 19:18
1

@fyr, no, because GET is meant to be used for data retrieval, POST - for data processing. HTTP is a standard protocol which should be used as described in specs. – binaryLV Jul 19 '11 at 09:04
@fyr, Well, that too, but it's not the most important reason. The most important reason is REST and doing things right, as @binaryLV says. – TRiG Jul 19 '11 at 09:58
@binaryLV that was ironic. However the RFC does not specify MUST criterias on method usage. But i think there will be no further Security comments so please no further ethical posts on REST or not REST. I mentioned the usage of the REST paradigma in my post nearly 18 hours ago so there is no reason to add this information. And please comments should have depth. To favor paradigmas one over another is not doing things right it is marketing and stackoverflow is not a marketing page. REST has its right to exist but this post is about security and REST has nothing to do with security of http. – fyr Jul 19 '11 at 10:51

score 0 · Answer 2 · answered Jul 18 '11 at 15:41

0

Using the POST method isn't necessarily more secure than GET. For the sake of browsing between different pages something like ?page=home is perfectly ok, as long as you check the input before processing it. I know no method to stop browsers asking to resend the data, because there are good reasons to ask the user if he wants to send them again.

answered Jul 18 '11 at 15:41

Daniel

1,527
10
13

It is simply never more secure. – fyr Jul 18 '11 at 15:43
@fyr, depends on usage. There are cases when POST is indeed more secure, as it does not leave unwanted data in browser's URL history. – binaryLV Jul 18 '11 at 15:45
@binaryLV: true but history will not prevent security token expiry – fyr Jul 18 '11 at 15:55
But suppose that I have an application divided in steps: at every step there is a form with some fields the user fills. Every step is on different web page. If the user wanna go back and forward, with POST I will always see the browser saying "resubmit the data"? – gdm Jul 20 '11 at 07:21
This is the behaviour you will get from almost every site. I don't know how amazon does it during checkout, because there you can go forwards and backwards how you like. Maybe they send the data to the server using AJAX or something similar and don't use POST at all – Daniel Jul 20 '11 at 17:16

score 0 · Answer 3 · answered Jul 18 '11 at 15:42

POST is not better than GET. POST is just more suitable if you want to do an operation that's gonna make a change in the DB (write). GET is... getting something from the DB (read). So to navigate between pages (and pagination), there's nothing wrong in using GET.

score 0 · Answer 4 · answered Jul 18 '11 at 15:42

0

There is nothing wrong with using $_GET in your script, just dont insert data based on a GET request and if you show data used from a GET, make sure you htmlspecialchars(); it before outputting it to the user.

answered Jul 18 '11 at 15:42

Lawrence Cherone

46,049
7
62
106

PHP from POST method like GET

4 Answers4