05-17-2008, 01:26 AM
|
#2 (permalink)
|
|
Wizard
Join Date: Sep 2007
Posts: 1,299
Thanks: 17
|
Here is a basic overview of how its done:
GET: Those names after the ? on the url. Can be easily edited
POST: Send from page to page apart from the URL. It is, however, still passed by the browser. If passed from multiple pages, hidden forms can be used to continue the chain. Not quite as easy to forge as GET, but still very possible to forge to what you want. It also becomes very cumbersome to pass multiple values over many pages.
Sessions: Can not be edited by the client without the help of a server side script. While the data can not be accessed and modified by the client after it has been set, it is difficult to confirm you are indeed talking to the same person since HTTP is a non-persistent protocol (it has no way of saying for sure who is who). Sessions can be hijacked if the proper measures are not taken into consideration. And like the other methods, the content of the container is only as safe as the script that places it in.
It is all about what you are passing that determines how you do it. I tend to pass small things via get, and most of my ajax calls are via get. POST is better for larger things (like posts on forms) and sessions are great for passing things though many pages since you don't have to continue with hidden forms.
One thing remains consistent no matter which you use, you must verify your data when it is received. Just assume the hacker can put whatever he wants in the value. Like many other things in programming; there is no right way to do it, but there are many wrong ways.
|
|
|
|
Join the friendly bunch on IRC...
Linear Mode
