On Fri, February 24, 2012 4:48 pm, Ronald Chmara wrote: > On Fri, Feb 24, 2012 at 2:40 PM, Larry Garfield > <la...@garfieldtech.com> wrote: >>> To me, it's just a request for some content, and in a REST API >>> that's >>> read-only, I just don't care if the consumer sends their request as >>> GET or POST. I'll cheerfully give them what they wanted. >> Except that per HTTP, GET and POST are completely different >> operations. One >> is idempotent and cacheable, the other is not idempotent and not >> cacheable. >> I very much care which someone is using. > > People exploiting security would *never* think of > caching/replaying/modifying a POST request, that's just totally > unimaginable! It would take, like HUGE computational effort to like, > cURL it or just type it out!
You missed the totally newbie way, or at least a way to demonstrate the issue to somebody who simply doesn't understand the issue: Save the HTML form to your hard drive. Edit it in Notepad (et al) to make up whatever value="xyz" you want. Open it in your browser using "Open File..." and pick the file. Submit the FORM. I had to do this several times for non-technical bosses or students who simply refused to believe that it was TRIVIAL to forge POST requests... Once they saw it in action, the light bulb goes "on" and you can say: I can also script this to repeat the same thing a million times with form-letter substitution, and then they understand it *is* trivial. Maybe I just had dense bosses/students, or I was bad at explaining the idea, but it worked for me... -- brain cancer update: http://richardlynch.blogspot.com/search/label/brain%20tumor Donate: https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=FS9NLTNEEKWBE -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
