Is placing data in an href safe?

Question

I'm wanting to pass data from one php page to another on click, and use that data in populating the linked page. At first I was going to use ajax to do this, but ran into trouble, and then realized it was as easy as placing the data in the href of the link.

My question is, is it safe to place the data directly in the href in this manner? I know that passing the data via the URL (which this ends up doing) is safe, but I heard somewhere (that I can't recall), that placing the data directly in the href of a link can cause problems with web-crawlers and the like.

Is this true? Is there anything else I should worry about in using this method? Or is this the best way for me to send data, unique to each link, to another page on click?

The PHP:

while($row = mysql_fetch_assoc($result_pag_data)) { 
    echo "<a target='_blank' href='secondary_imgs.php?imgId=".$row['imgId']."'></a>";
}

Suggest you check out the difference between GET and POST it will answer your question and you will then understand what is happening — PurplePilot, Aug 30 '11 at 08:37
What exactly do you mean by "safe"? Is your data protected from the eyes of the user and safe from manipulation? Nope. — ty812, Aug 30 '11 at 08:40
@Martin Hohenberg - As I stated in my question, I was specifically meaning 'safe' in terms of potential problems from web-crawlers. I am well aware of the dangers of using `GET` and/or placing your data in the URL. However, I see no alternative in this circumstance. — stefmikhail, Aug 30 '11 at 08:50

score 1 · Answer 1 · answered Aug 30 '11 at 08:37

I think it's safe enough if you want to display some data, but never use get method to insert data, especially careful when it comes to sql. NEVER use get method to modify sql, if had to, validify the arguments first.

Be careful with post method too. In a word, never trust users, you never know.

score 1 · Answer 2 · answered Aug 30 '11 at 08:37

It looks like it's safe since you're "only" querying an image with a specific id (that's all you're doing, right?). Just ask yourself if

http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html

9.1.1 Safe Methods
Implementors should be aware that the software represents the user in their interactions over the Internet, and should be careful to allow the user to be aware of any actions they might take which may have an unexpected significance to themselves or others.
In particular, the convention has been established that the GET and HEAD methods SHOULD NOT have the significance of taking an action other than retrieval. These methods ought to be considered "safe".

applies.

score 1 · Answer 3 · answered Aug 30 '11 at 08:38

1

Neither passing data through URL, nor embedding it into href is safe.

That data can be seen by user, so you are not protecting your data from user.
That data can be modified by user, so you are not protecting your data from modification and your script from getting evil or misformed parameters.

So, if you are designing the system which is going to be run under strict protection in a friendly environment - it's OK to pass params through the URL (hovewer, note that URL string is limited to 4096 characters). If not - it depends on protection level you want.

The simpliest way is to use POST requests instead of GET. THis way you'll not protect your data from evildoers, but ordinary users will not have the ability neither see nor modify it. Anyway, it's a good idea to validate the input on the server always.

answered Aug 30 '11 at 08:38

J0HN

26,063
5
54
85

Agree, protect one user from another is quite important. Me myself have met some XSS attacks when using some web services. – OpenGG Aug 30 '11 at 08:44
@JOHN Great answer. I'm curious, how would I use the `POST` method in my circumstance? The only two methods I know of employing it would be either in the way of a form with submit, or through Ajax. I can't think of how I could apple either of them to this particular problem, where I'm sending data to a page I'm loading. – stefmikhail Aug 30 '11 at 08:48
Just as you described here, through form or Ajax. As you are loading the page, your choice is forms. So you'll have a form with, hidden fields that are filled by javascript `a` handlers. So, your links will look like ` – J0HN Aug 30 '11 at 08:51
-1: hiding data in a POST rather than a GET does nothing to improve security. HTTP does not limit the length of a URL - see http://stackoverflow.com/questions/417142/what-is-the-maximum-length-of-a-url – symcbean Aug 30 '11 at 09:00
@symcbean I didn't say that it's increasing security. I've just said that it will hide the actual data from ordinary users with no firebug/wireshark, but not the evildoers. So you'd better read the post to the end before downvoting it. :) – J0HN Aug 30 '11 at 09:02

score 1 · Accepted Answer · answered Aug 30 '11 at 08:41

1

There should be no problems with web crawlers as they just follow the links.

There is however a potential security problem in that malicious users can address arbitrary rows in your table by altering the URL string. This may or may not be a problems depending on what the links point to.

If you need to restrict your data to particular users then this is not a good idea, otherwise, its simple and straightforward if it works for you then do it.

answered Aug 30 '11 at 08:41

James Anderson

27,109
7
50
78

Thanks for the info. I'm curious if there is another method for me to choose? One that would restrict the data from particular users? – stefmikhail Aug 30 '11 at 08:45
An alternative would be to post a form, where several fields can be sent. There are advantages to this. 1. You can completely hide the data from a normal users. 2. You can do JavaScript magic using the "OnPost" event. 3. You can use hidden fields, cookies etc. to foil simplistic hacking. – James Anderson Aug 30 '11 at 10:32
What I mean is, would that be possible in this case? In this case I need a hyperlink because I'm opening an external page the same time I'm sending the external page data. Does that make sense? To me it would seem that if I used `POST` I would either have to create an `input` field out of each and every link, or use Ajax, and I can't figure out how. – stefmikhail Aug 30 '11 at 11:09
1

As long as there is nothing private or restricted in hte link it will be fine! – James Anderson Aug 31 '11 at 01:34

score 0 · Answer 5 · answered Aug 30 '11 at 08:57

Define "safe".

Without knowing the the threat model is nor how the data is used it's impossible to answer.

Certainly there are very important differences between a GET and POST (but note that a POSTed for can still send GET variables via the action URL).

It's no less dangerous using a POST rather than GET to send data. Nor using a cookie. All can be modified at the client end.

If you're talking about CSRF, then there's lots of methods to prevent this - try Google for starters.

Is placing data in an href safe?

5 Answers5