On Fri, Feb 24, 2012 at 2:54 PM, Larry Garfield <la...@garfieldtech.com> wrote: > On 2/24/12 4:48 PM, Ronald Chmara wrote: >> >> On Fri, Feb 24, 2012 at 2:40 PM, Larry Garfield<la...@garfieldtech.com> >>> Except that per HTTP, GET and POST are completely different operations. >>> One >>> is idempotent and cacheable, the other is not idempotent and not >>> cacheable. >>> I very much care which someone is using. >> People exploiting security would *never* think of >> caching/replaying/modifying a POST request, that's just totally >> unimaginable! It would take, like HUGE computational effort to like, >> cURL it or just type it out! >> er, no. > Please point out where I said that POST not a security risk. I am quite > sure I typed no such thing, so how you read such a thing I do not know. I > am genuinely curious to see how you managed to interpret anything I said as > "POST is secure because it won't be cached".
Well, I didn't actually say that you said any such thing. I picked up on: "the other is not idempotent and not cacheable" ...which is obviously false, and I highlighted, in a security context, how POSTs are cached, and should be treated with equal distrust as GET, because both are suspect, user submitted, forms of data, subject to exploiting. -Ronabop -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
