1

I'm working in CodeIgniter, and I want to send requests to my controller/model that have several parameters involved. Is there a difference between passing those parameters via a hidden form (i.e. using $_POST) as opposed to passing them through URIs (e.g. 'travel/$month/$day/')? Are there any security concerns with this approach?

Example Security Concern:

  • URIs

    http://www.example.com/travel/$month/$day/

  • Hidden Form:

    form_hidden('month',$month);
    form_hidden('day',$day);

imlouisrussell
  • 936
  • 11
  • 30

4 Answers4

3

Rule of thumb — GET requests should never change the state of things. So, if you actually change something or request — use hidden forms with nonce values (to prevent accidental resubmissions and CSRF attacks). Otherwise, there's no difference.

Auth should be decoupled from URIs and POST data — there are cookies, HTTP auth and SSL client certificates. Everyone knows that there is a 11th June in 2009, and a lot of people may know that you use /$year/$month/$day/ scheme in URIs (or "year","month" and "day" POST fields) on your site. But only those who are entitled to access should be able to see what's on this page (or POST data to this URI). And, yes, both GET and POST data can be easily tampered, so you obviously have to check for validity.

drdaeman
  • 11,159
  • 7
  • 59
  • 104
0

I ran into this same issue recently. When anything additional is exposed in the URL, you run the risk of exposing website methods/data. After quite a bit of research, I elected to only show variables when absolutely needed or if the page was just a simple view. The more data you expose in your URL, the more checks you'll likely need to put in place (what if the user modifies the URL in x way).

Another consideration is the ability to bookmark or link to URLs (presumably views). One idea is to hide variables in the URL via an encrypted string. You could then store the encrypted string in your database and serialize as needed. I did this for a search engine and it gave me the best of both worlds. This was with CodeIgniter.

MattB
  • 714
  • 1
  • 8
  • 18
0

If you choose URIs, if the user bookmarks the URLs,
it brings security problem.

and if any user clicks any links ,
then the target web server can now know
HTTP_REFFER, and the server administrator
can know the link.

it means he can see the URI.

so my personal opinion is that
you better choose hidden form.

Jonathan itou
  • 75
  • 10
0

If you monitor your incoming-data (users are evil goblins, remember), and clean when necessary it's not going to make much of a difference. The difference only comes down to usability: if you want users to be able to access the same results without always having to go through a form, then use the URL method.

In all honesty, your example doesn't given enough data to determine which method (POST/GET) would be appropriate for you.

Suggested Reading: GET versus POST in terms of security?

Community
  • 1
  • 1
Sampson
  • 265,109
  • 74
  • 539
  • 565
  • Thanks! Sorry my post was simplified. My actual goal is making a forum which would be passing around user_ids, question_ids, answer_ids, category_ids ... Thanks for the related post, I'm reading now. –  Jun 11 '09 at 15:24
  • If you want to allow direct linking to questions, answers, user pages (all good ideas, if you ask me) then allow the URL values. You'll notice that StackOverflow does this...that should give you some comfort. – Sampson Jun 11 '09 at 15:27