I don't think that using request over post adds anything in the way of security, at the most it's going to delay an attacker for up to a minute. I advocate using request if it's convenient, it can also open a few nice tricks for advanced users. Using request allows me to bookmark a login page, so hitting the bookmark will log me in and take me straight to the main page. Passing data through get instead of post is not necessarily a malicious attack.
David Ben Ramsey wrote: > On 6/17/06 3:07 PM, Anthony Ettinger wrote: > >> it's more like painting the color of your front door, but still >> leaving it unlocked. It doesn't change the fact that people can still >> open the door. >> >> every input field needs to be validated regardless of get vs. post. >> the web developer toolbar for firefox can easily convert all form >> fields to one or the other, so it's trivial to send a get request as >> post, and vice-versa. >> > > Which is why, if you read the last paragraph of my post, it said that > there are two things you must do: 1) always check the origin of the > input and 2) always filter (validate) the input. > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
