WebApp Sec mailing list archives
Re: When GET = POST?
From: "Jeff Dafoe" <jeff () badtz-maru com>
Date: Mon, 11 Nov 2002 20:41:52 -0500
I'm going to buck the trend here, and say that from the point of view of the script processing the form data, I don't think it matters that much.
I am glad someone else feels the way I do about this issue. In the case
of a web application, it's not important to the script which method was used
to submit the data as long as proper validation and sanitization is
performed. All that you really need to know is that the data originated
from an untrusted source and should be checked accordingly. I could see
where explicitly checking for POST could lull someone into a false sense of
security. Logging aside, POSTed data is no safer than data sent via GET, so
there is no point in checking to see which method was used to submit the
data.
Jeff
Current thread:
- When GET = POST? Chris Thomas (Nov 08)
- Re: When GET = POST? Alonso Robles (Nov 09)
- Re: When GET = POST? Jonas Anden (Nov 10)
- Re: When GET = POST? Vincent Janelle (Nov 10)
- Re: When GET = POST? Jonas Anden (Nov 10)
- Re: When GET = POST? David Bullock (Nov 09)
- RE: When GET = POST? Tony Welsh (Nov 09)
- Re: When GET = POST? Adrian Wiesmann (Nov 10)
- Re: When GET = POST? Kevin Spett (Nov 11)
- Re: When GET = POST? Jason Childers (Nov 11)
- Re: When GET = POST? Charles Miller (Nov 11)
- Re: When GET = POST? Jeff Dafoe (Nov 11)
- Re: When GET = POST? Jason Healy (Nov 11)
- Re: When GET = POST? Kevin Spett (Nov 12)
- Re: When GET = POST? Daniel Hedrick (Nov 12)
- Re: When GET = POST? Jeff Dafoe (Nov 11)
- <Possible follow-ups>
- Re: When GET = POST? Steven M. Christey (Nov 11)
- RE: When GET = POST? Glyn Geoghegan (Nov 14)
- RE: When GET = POST? Glyn Geoghegan (Nov 14)
- Re: When GET = POST? Alonso Robles (Nov 09)