Just to clarify. Obfuscation is NOT a substitute for security. While I don't
disagree with the "when's" here of GET vs POST, this statement is a bit

Any cracker worth his salt can easily install any number of Firefox
extensions or unix command line tools and not only view the POST data, but
alter it as well. So if you are sending something like a password, don't
think that it's "secure" just because Joe Average doesn't see it. If you're
not using SSL, then it is sent as plain text like everything else.

And don't assume that what you presented on a web page in select boxes and
other form elements is the ONLY thing that is going to come back to your
server to process. It's trivial to mangle the data. This is what SQL
injection is all about.


-----Original Message-----
From: Jason Pruim [mailto:ja...@jasonpruim.com] 
Sent: Sunday, April 12, 2009 12:57 PM
Subject: Re: [PHP] $_GET verses $_POST

POST does not display anything in the browser, so as others have said it's
perfect for login's since that info will never be visible to the user.

PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to