Is Either Get or Post More Secure Than the Other

Is either GET or POST more secure than the other?

As far as security, they are inherently the same. While it is true that POST doesn't expose information via the URL, it exposes just as much information as a GET in the actual network communication between the client and server. If you need to pass information that is sensitive, your first line of defense would be to pass it using Secure HTTP.

GET or query string posts are really good for information required for either bookmarking a particular item, or for assisting in search engine optimization and indexing items.

POST is good for standard forms used to submit one time data. I wouldn't use GET for posting actual forms, unless maybe in a search form where you want to allow the user to save the query in a bookmark, or something along those lines.

Https get vs post

POST and GET are equally readable to people who know how. However, in browsers, GET shows variables in the address bar, so they are readily available and people can tamper with them, like changing ?bookid=34 to ?bookid=35... your web pages need to be able to handle this in general by always rechecking appropriate permissions. So if only this user can see this book, ensure the book belongs to the user as identified by the session userID (which is not passed as an HTTP variable).

From your question, it doesn't seem as though you are using browsers, so there is probably little to be gained by using POST throughout.

The one thing you must must must do is use SSL! This is vital and is the best security for protecting data in transit and GET or POST variables.

How secure is a HTTP POST?

SSL is a must.

POST method is not more secure than GET as it also gets sent unencrypted over network.

SSL will cover the whole HTTP communication and encrypt the HTTP data being transmitted between the client and the server.

PHP - is Get Method still less unsecure even if the user cannot see the address bar?

Everyone here is correct that both requests can be sniffed by intermediaries if you're not sending the data over a secure (i.e. SSL) connection.

One thing you need to keep in mind, however, is how your web server handles the two. Data sent by POST requests typically isn't logged by the server, whereas GET requests are. This is because GET data is really just part of the URL. We just think of it as separate data because PHP helpfully sorts it into a superglobal array for us. A request to a bare URL like http://www.google.com, despite having no query string, is still a GET request (unless you specifically invoke a different protocol in your client).

As with other GET requests, a request with a query string will still be entered into your server's access log. If you're passing sensitive information via query strings, you'll need to have a strategy for how to securely handle these logs and other places that such data might be recorded.

When should I use GET or POST method? What's the difference between them?

It's not a matter of security. The HTTP protocol defines GET-type requests as being idempotent, while POSTs may have side effects. In plain English, that means that GET is used for viewing something, without changing it, while POST is used for changing something. For example, a search page should use GET, while a form that changes your password should use POST.

Also, note that PHP confuses the concepts a bit. A POST request gets input from the query string and through the request body. A GET request just gets input from the query string. So a POST request is a superset of a GET request; you can use $_GET in a POST request, and it may even make sense to have parameters with the same name in $_POST and $_GET that mean different things.

For example, let's say you have a form for editing an article. The article-id may be in the query string (and, so, available through $_GET['id']), but let's say that you want to change the article-id. The new id may then be present in the request body ($_POST['id']). OK, perhaps that's not the best example, but I hope it illustrates the difference between the two.

When do you use POST and when do you use GET?

Use POST for destructive actions such as creation (I'm aware of the irony), editing, and deletion, because you can't hit a POST action in the address bar of your browser. Use GET when it's safe to allow a person to call an action. So a URL like:

http://myblog.org/admin/posts/delete/357

Should bring you to a confirmation page, rather than simply deleting the item. It's far easier to avoid accidents this way.

POST is also more secure than GET, because you aren't sticking information into a URL. And so using GET as the method for an HTML form that collects a password or other sensitive information is not the best idea.

One final note: POST can transmit a larger amount of information than GET. 'POST' has no size restrictions for transmitted data, whilst 'GET' is limited to 2048 characters.

PHP GET or POST security

When you are talking about security there are several levels. Using GET or POST will most likely not be a live or dead type of choice, but its definitly usefull to make a distinction between the two.

As the name suggests, GET is ment to retrieve information and POST is used to send information. If you keep that in mind, it's not that hard to know what method to use.

In your case a user is POSTING a new message to a message board. So POST would be the right answer. The reason a POST is more secure for this, is that it always requires a specific action from the user or javascript. I cannot just send you a link via email and directly make you post a new message.
If I would use GET I could send you a link like http://www.example.com/postmessage.php?message=post%20me and if you click it, you would post it.

Now if your message board is secured with a username password, and you are logged in, I have posted on your behalve with the GET request and nobody would know it wasnt realy you. So that is a potential security risk.

Now if I send you a mail with a link, you still need to click it. But consider I would be allowed to post images on that same message forum. I could post an image as myself like <img src='/postmessage.php?message=post%20me' width='0' height='0'/> and every user that visits my post would also post that message, since your/their browser tries to GET the image and I have again posted on your behalf.

Now if I could post javascript, I obviously could also make a POST request. But posting javascript is a lot less common.

Another side effect of GET request is that searchengines would also spider this and would potentially create messages aswell.

And last: A get request is limited. If you want to post a large message, you would need post. See What is the maximum possible length of a query string? for a lot of detail about the query string length. You would reach the maximum quickly with GET.

Now all these security issues cannot just be solved by using POST instead of GET and would require some more effort on the serverside code. But the first step is to use the proper method.

GET vs. POST does it really really matter?

Since you're the one writing the server software (presumably), then it cares if you tell it to care. If you handle POST and GET data identically, then no, it doesn't.

However, the browser definitely cares. Refreshing or clicking back to a page you got as a response to a POST pops up the little "Are you sure you want to submit data again" prompt, for example.

---

Related Topics