Am 04.02.10 03:52, schrieb Nobody:
On Wed, 03 Feb 2010 14:09:07 -0800, Paul Rubin wrote:
Also, your claim of it being more risky is simply nonsense. GET is a
tiny bit more prone to tinkering by the average user. But calling this
less risky is promoting security by obscurity, at most.
GET parameters also tend to get recorded in the http logs of web proxies
and web servers while POST parameters usually aren't.
More significantly, they'll appear in the Referer: header for any link the
user follows from the page, so they're visible to anyone who can get a
link to their site onto the page (whether<a href=...>,<img src=...> or
whatever).
Even if this isn't possible at the moment, will you remember to fix it the
first time you allow an off-site link?
You should assume that anything which goes into a GET request is visible
to the entire world. Don't put anything even remotely private in there.
You mean like
http://www.google.de/search?q=dirty+buttsex
? Which is the key example for when to use GET - non-modifying queries.
I agree though that you have to be cautious about that, and using POST
makes it easier to do so.
Diez
--
http://mail.python.org/mailman/listinfo/python-list
