RE: [PHP] get and post together
On Thu, August 9, 2007 7:55 pm, Daevid Vincent wrote: It has a size limit for one (maybe 1k chars?) The limit has been increased with each version of the HTTP spec, and implementors have always been encouraged to make the limit as high as practical. But they could not claim to be implementing the spec with a limit SMALLER than the spec. and it is trivial for someone to modify. I am always concerned when I see this statement in isolation with respect to GET, as it might imply to the reader that POST is somehow harder to modify. Nothing could be further than the truth! Any moron can use Save as... on a FORM page, then alter each VALUE=... to whatever they like, or add more INPUT tags, and then open the form and click submit to send whatever POST data they like! Similarly, it is equally trivial to open up your own cookie files (in most browsers) and alter the contents. I generally use GET when I think it's a page setup the user may wish to bookmark (ie: page.php?orderby=namedescending=1report=69 ) Definitely use GET if you want it bookmarkable. And POST for submitting data that I want to save. (ie: add a new user and all their glory). Definitely use POST if it changes anything server-side. Google for HTTP idempotent for more info on this. -- Some people have a gift link here. Know what I want? I want you to buy a CD from some indie artist. http://cdbaby.com/browse/from/lynch Yeah, I get a buck. So? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] get and post together
I've done that on occasion, but do be careful what you are sending via the GET. It has a size limit for one (maybe 1k chars?) and it is trivial for someone to modify. I generally use GET when I think it's a page setup the user may wish to bookmark (ie: page.php?orderby=namedescending=1report=69 ) And POST for submitting data that I want to save. (ie: add a new user and all their glory). I have done a mixture, such as page.php?action=deleteid=5 But you have to be careful. I guess I always have some kind of user class and verify they have permissions to use the page and or delete said record anyways (logging failed attempts of course). -Original Message- From: Ray [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 08, 2007 8:19 PM To: php-general@lists.php.net Subject: [PHP] get and post together Hi all, I've done something and I want to know if I should be ashamed :) I've set up a form with method=POST and target =page.php?foo=bar it works fine. $_POST[...] gives me the data I want and $_GET['foo']=='bar'. I freely admit it's an ugly kludge, but is it bad? Ray -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] get and post together
On 8/9/07, Ray [EMAIL PROTECTED] wrote: Hi all, I've done something and I want to know if I should be ashamed :) I've set up a form with method=POST and target =page.php?foo=bar it works fine. $_POST[...] gives me the data I want and $_GET['foo']=='bar'. I freely admit it's an ugly kludge, but is it bad? I do this all the time and I'm not ashamed! I don't think it is particularly ugly either :-) From a security POV, just be sure to validate all user input regardless of where it comes from, as you would any normal request. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] get and post together
On Wed, August 8, 2007 10:18 pm, Ray wrote: I've done something and I want to know if I should be ashamed :) I've set up a form with method=POST and target =page.php?foo=bar it works fine. $_POST[...] gives me the data I want and $_GET['foo']=='bar'. I freely admit it's an ugly kludge, but is it bad? Almost for sure that is a Documented Feature of HTTP protocol. I've certainly never seen it fail. -- Some people have a gift link here. Know what I want? I want you to buy a CD from some indie artist. http://cdbaby.com/browse/from/lynch Yeah, I get a buck. So? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] get and post together
On Wednesday 08 August 2007 10:29:33 pm Richard Lynch wrote: On Wed, August 8, 2007 10:18 pm, Ray wrote: I've done something and I want to know if I should be ashamed :) I've set up a form with method=POST and target =page.php?foo=bar it works fine. $_POST[...] gives me the data I want and $_GET['foo']=='bar'. I freely admit it's an ugly kludge, but is it bad? Almost for sure that is a Documented Feature of HTTP protocol. I've certainly never seen it fail. Thanks, I feel better. (I definitely realize that method = post doesn't mean ignore security) Ray -- Some people have a gift link here. Know what I want? I want you to buy a CD from some indie artist. http://cdbaby.com/browse/from/lynch Yeah, I get a buck. So? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
