OSDev.org

I was wondering about this.
How secure is the data we submit using online forms? Does it make any difference security-wise if we use the POST method rather than the GET method?
If not then how can we improve the security of the data? Any good way of encrypting the data before submission (using client-side scripts like Javascript)? or is there something else i'm missing?
Any insights appreciated.

Neo wrote: If not then how can we improve the security of the data? Any good way of encrypting the data before submission (using client-side scripts like Javascript)? or is there something else i'm missing?

Try https? SSL? TLS? Kerberos if you have to?

so theres not much security in the POST or GET methods? I thought the POST (as it doesnt show variables) method was better. Guess not huh?

Neo wrote: so theres not much security in the POST or GET methods? I thought the POST (as it doesnt show variables) method was better. Guess not huh?

you either get it in plaintext over the network, or you post it in plaintext over the network. Not much difference in the old days, but some nowadays - the parameters are not stored in the history & index.dat & stuff like that

Take SSL or SomethingCompletelyDifferent? (such as CURL) for security.

There's two things. GET goes in the URL so it's limited to about 4k characters, and it gets saved in to history, and browsers/proxies are allowed to get it again without users confirmation. Being in the url also means that the request usually gets stored into server logs as plaintext.

POST allows any length of content (only limited by what server is configured to allow), it get's transmitted in the request "body" which means it doesn't go into logs/histories, and browsers can only re-issue a POST request if a human user approves that (well they can, but it's specified that they should/must? not).

So basicly, because the re-requesting thing, you generally want to use POST for anything that involves modifications to permanent data. Thanks to history/log and length-issues you also want to use POST for anything that involves 1) unknown, possibly large amount of data 2) any sensitive information.

Rest of the stuff (like searches, filter changes, page views, whatever) should be done with GET request, so they can be cached and the back-button can work without prompting user to confirm re-issuing of a post request.

Then there's encryption. With whatever request type, as long as you use HTTP, it goes over wire in plain-text. If you want it encrypted, you should use HTTPS. This is a different issue from the previous actually, but the idea is that when you need Security, you use HTTPS, but you always follow the POSTvsGET rules just to make your site act right.

DISCLAIMER: The rest is based solely on personal experience and MIGHT be wrong, and might not apply to all browsers..

Btw, to allow back-button (and forward too) to work nice without accidentally resending the form when you use POST forms, you can process the POST-request, then redirect user (with Location: header) to the page you want him next. This way the target of the redirection is generally what gets into history, not the POST-action.

If that page has the same URL as the submitted form, then the submitted form usually doesn't even go to the history list at all. This is very handy if you want to provide a edit page with save, and don't want users to back-button themselves to the stale copy, nor do you want them to accidentally resubmit the form.

But like I said, this is just my personal observation. I've been lazy enough to not check what's specified about this.

Ok i have another realted question althoug it concerns forms it is about Javascript actualy.
I use this snippet for generating the entries in a drop-down list in my webpage.the thing is that it works in windows but not Linux(in this it shows empty lists). heres the code. this is called using this where 'day' is a select element in the 'frm' form.
Any ideas

Ahem... does anybody know how to add items to a drop-down list in a HTML web page form that works in both IE and Netscape?
I would appreciate it if you could tell me why the code above doesnt work in Netscape.

I don't know for sure, but your best bet is probably to use the standard Document Object Model functions, if you need the items to be added dynamically. I forget how they work off the top of my head. I think you have to call a createElement function and pass it "option" as a parameter.

It may be that the "new Option" code you're trying to use is a Microsoft extension.

Ok, the following code worked for me in Internet Explorer 6 and Mozilla 1.6:

and of course JavaScript is not actually two words and should be lower-case. That's the message board's doing.

Thanks Joel got it working at last. I have another question though....
how can I retrieve the state of a checkbox from a webpage submitted to my php script?
i seem to get the value 'on' only when the checkbox is 'checked' otherwise i get an error that the $_POST arravy var for this is undefined.
I concluded that the browser only sent across the value of the checkbox when it was checked only. Is this right? if so then how do i tell if a check box was selected or not in my webpage?

Thanks Tim, will checkit out now,......

Joel wrote: I don't know for sure, but your best bet is probably to use the standard Document Object Model functions, if you need the items to be added dynamically.

where can i get the list if these functions? w3c.org gives me too many choices. I would appreciate it if anyone could give me a link

w3c.org is where I got my info from. I've seen a document that sort of explained what all the methods do, but I'm not sure where. Try looking for documentation on an XML parser. That might help. You could also try looking for DOM tutorials or something. I don't really know what else to suggest.

Joel (not logged in) wrote: Try looking for documentation on an XML parser. That might help. You could also try looking for DOM tutorials or something.

Try MSXML Parser info in MSDN and this for MSXML with JScript info