Don is right. No security issue here (and absolutely nothing to do with PHP's register_globals). I see little use in trying to discriminate between GET and POST in the action side, at least not in relation with security. Of course, you should never use GET when submitting a password, but that's a privacy concern you (developer) just deal when writing your jsp. An hypothetical convolved user can always try to go the same url using a GET, passing the parameters in the query string. But that would be a dumb user rather than a malicious one. The action could deny the request if it is a GET, but that would be little or no gain; the harm the user can do (to himself; eg leaving his password in some log) has already been done.
Hernán On Tue, Oct 28, 2008 at 11:27 AM, Don Brown <[EMAIL PROTECTED]> wrote: > PHP's register_globals really has nothing to do with GET vs POST but > rather with how it could be possible to inject variables into a script > to compromise later evaulation. Since Java doesn't allow such dynamic > variables, there is no equivalent. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
