GET or POST methods

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
alex.barylski
DevNet Evangelist
Posts: 6267
Joined: Tue Dec 21, 2004 5:00 pm
Location: Winnipeg

GET or POST methods

Post by alex.barylski »

Does it really matter?

Why would one ever want to determine what HTTP method was used at the PHP level? I cannot think of anything other than maybe security reasons or maybe implementing postback or somethign similar?

Any ideas on why I might want to detect POST during a submittion?
User avatar
onion2k
Jedi Mod
Posts: 5263
Joined: Tue Dec 21, 2004 5:03 pm
Location: usrlab.com

Re: GET or POST methods

Post by onion2k »

Strictly speaking it doesn't make any difference from a security point of view - you can't trust data from either. The reason you should check though is because it can be a sign that someone is trying to use a script in a way that it was intended for ... for example, if your form submits by post and you start getting variables in $_GET with the form field names then obviously someone is tacking them on to the end of the action URL ... that's definitely a sign something untoward is going on. Maybe they're checking if you're using register_globals or $_REQUEST?
alex.barylski
DevNet Evangelist
Posts: 6267
Joined: Tue Dec 21, 2004 5:00 pm
Location: Winnipeg

Re: GET or POST methods

Post by alex.barylski »

That is actually what I'm thinking of doing...

Basically checking the method on each request against the known/accepted method and logging the type...if a user attempts X number of bunk attempts I will email the admin notifying them of something fishy.
Post Reply