Web Analytics Made Easy - StatCounter how to use post rather than get - CodingForum

Announcement

Collapse
No announcement yet.

how to use post rather than get

Collapse
X
Collapse
 
  • Page of 1
  • Filter
  • Time
  • Show
Clear All
new posts
Previous template Next
  • #1

    how to use post rather than get

    Hi, I have some code which loops and prints links. Each link has different values for its variables on the end of the URL. As someone pointed out the other day it would be better for security to use a post instead, I just cant think of a way to do it with this code. The code is this:
    PHP Code:
    $rota_type_query "SELECT rota_id, rota_name, no_required from rota_type";
          $rota_type_result mysql_query($rota_type_query);
          $num_rows mysql_num_rows($rota_type_result);
      
      if(    $num_rows>0)
      {
        print     "<table>";
        while(    $rota=mysql_fetch_array($rota_type_result))
        {
             $rota_id=$rota["rota_id"];
             $rota_name=$rota["rota_name"];
             $no_of_people=$rota["no_required"];
         print     "<tr><td>$rota_name   </td><td><a href='edit_rota_type.php?rota_id=$rota_id&rota_name=$rota_name&no_of_people=$no_of_people' target='_self'>edit</a></td>";
         print     "<td><a href='delete_rota_type.php?rota_id=$rota_id&rota_name=$rota_name&no_of_people=$no_of_people' target='_self'>delete</a></td></tr>";
        }
      } 
    Thanks, Andy.
    Tags: None
  • #2
    Think we'll need more code. I don't even see where you have declared a $_GET variable . .
    Stevie Peele
    Neverside IRC Network - irc.veonex.net | tc.tutorialnetwork.org
    #dev - any programming,etc. question
    #design - design discussion and critque
    #central - general chat
    Come join us!

    Comment

    • #3
      That is pretty much all of the code, all of the "getting" is done on the page that the link refers to. As it is, it works fine but I don't want to compromise with security. The only way I could think to do this was to turn it into a form and have every variable that is appended to the url as a hidden field. But, as it is at teh moment the url is generated on teh fly so i cant think how to account for that in terms of a form.

      Comment

      • #4
        the variables sent via the query string are the GET variables.
        you could use javascript and a hidden form , eg

        <a href="#" onclick="submitForm('var1',var1','etc');">link</a>

        where submitForm fills in hidden fields in your hidden form and document.formname.submit()'s that form , if you want to go that path ask in the javascript forum.


        I personally would not bother , query strings make the world go around and your mission should you accept it, is to make sure that if someone alters your query string that it has no adverse effects on the rest of your script.

        Making your script use POST is NO more secure (though an extra bit of work for the 'attacker') than GET

        time spent making your script secure with the assumption that an attacker can alter any incoming data is better spent than time obfuscating information which adds no real security to your script.
        resistance is...

        MVC is the current buzz in web application architectures. It comes from event-driven desktop application design and doesn't fit into web application design very well. But luckily nobody really knows what MVC means, so we can call our presentation layer separation mechanism MVC and move on. (Rasmus Lerdorf)

        Comment

        • #5

          I personally would not bother , query strings make the world go around and your mission should you accept it, is to make sure that if someone alters your query string that it has no adverse effects on the rest of your script.

          Making your script use POST is NO more secure (though an extra bit of work for the 'attacker') than GET
          Thanks for the helpful reply! As u said above, if there is no point in terms of security in using post rather than get, how would I go about ensuring that if the user tries to edit the query string it doesnt mess things up?
          Thanks again, Andy.

          Comment

          • #6
            That depends on the application. In your example, you would pass the id to a database record per GET, which is fine. Assuming that this id is always a positive number, I would validate in my code that the incoming value of $_GET['id'] is actually in a numerical format.

            A good and needed measure is to always use addslashes() or mysql_escape_string() for values that will be used in SQL queries, to prevent any SQL injection attack. Quick example:

            PHP Code:
            $password $_GET['password'];
            $sql "SELECT name FROM users WHERE password = '$password'";
            $result mysql_query($sql);

            if (            mysql_num_rows($result) == 1) {
            echo             'User authenticated';

            The code above is bad, because you could taint the value of "password" in the query string, and get unauthorized access through this faulty login routine. Don't do this!

            Better:

            PHP Code:
            $password addslashes($_GET['password']);
            // as before 
            De gustibus non est disputandum.

            Comment

            Previous template Next
            Working...
            X