PHP from POST method like GET [duplicate]
开发者_如何学编程Possible Duplicate:
Back button re-submit form data ($_POST)
I know that for security reasons it is better to use POST method than GET. Anyway, if you have several web pages and you wanna navigate between them, if you USE POST method your browser will re-submit data of the prevoious form if you press te BACK or FORWARD button. There is a way to use POST method BUT let the user navigate between previous or next page without resubmit data? I do not know if
There is no security difference between POST and GET. If you do not want to have the resubmitting problem. You should follow the Redirect-After-Post pattern.
Edit:
For all the guys seeing a difference in terms of security.
- You can sniff either of those via Man in the middle in plain text(while not having https)
- You can resend both requests
- You can invent security tokens for both methods
- The only difference is that POST does not expose information by the URL identifier. But an attacker will always check also sourcecode.
Having POST to insert data in databases etc. is not because of Security. It is because of the widely used REST paradigma. But the REST paradigma is not a MUST while developing a web application. It is like any standard you may follow its guidelines or you leave it alone.
There is btw also a nice post on the exact same topic with the same findings: Is either GET or POST more secure than the other?
Using the POST method isn't necessarily more secure than GET. For the sake of browsing between different pages something like ?page=home is perfectly ok, as long as you check the input before processing it. I know no method to stop browsers asking to resend the data, because there are good reasons to ask the user if he wants to send them again.
POST is not better than GET. POST is just more suitable if you want to do an operation that's gonna make a change in the DB (write). GET is... getting something from the DB (read). So to navigate between pages (and pagination), there's nothing wrong in using GET.
There is nothing wrong with using $_GET
in your script, just dont insert data based on a GET request and if you show data used from a GET, make sure you htmlspecialchars();
it before outputting it to the user.
精彩评论