0

Possible Duplicate:
Is either GET or POST more secure than the other?
What is the difference between POST and GET?

My understanding is that the difference between $_GET and $_POST is that with $_GET You can see what the form is sending in the address bar.

Now I am making an iPhone app and it is being sent an url with $_GET details in it. There is no way the user can see or guess the variables that are being used. Is there another reason why I shouldn't use GET?

I am sending sensitive data through the URL, so I that is why I am asking if using $_GET is safe enough if the user CANNOT see the URL.

Also the data is being generated from the IOS app, so there is no website that contains this data on my server.

Thanks in advance:-)

Community
  • 1
  • 1
jwknz
  • 5,584
  • 13
  • 64
  • 105
  • $_GET enables you to send data through a URL and $_POST enables data to be posted. e.g. with $_GET can accept www.example.com?data=something and then you can process the "data" which will contain the value "something".. With security, aslong as you validate it, it should be fine. I guess. You would need to use CURL in order to prevent the user from seeing it. Hope this helps – Phorce Jan 12 '13 at 08:41
  • 1
    It really depends on what you are trying to accomplish with the data transaction. I would read this - http://stackoverflow.com/questions/3477333/what-is-the-difference-between-post-and-get – Austin Brunkhorst Jan 12 '13 at 08:41
  • See also: [Is either GET or POST more secure than the other?](http://stackoverflow.com/q/198462/1402846) – Pang Jan 12 '13 at 08:42

5 Answers5

1

GET and POST are request methods of the HTTP, there are even more like PUT and DELETE that are not used by PHP. There is no security argument to stick to POST or GET, although best practice is to use GET for any data/information retrieval (e.g. search action) and POST to send some data to store (e.g. user input).

If you are sending sensitive data you should think about SSL not request methods.

unused
  • 778
  • 4
  • 12
1

Everyone here is correct that both requests can be sniffed by intermediaries if you're not sending the data over a secure (i.e. SSL) connection.

One thing you need to keep in mind, however, is how your web server handles the two. Data sent by POST requests typically isn't logged by the server, whereas GET requests are. This is because GET data is really just part of the URL. We just think of it as separate data because PHP helpfully sorts it into a superglobal array for us. A request to a bare URL like http://www.google.com, despite having no query string, is still a GET request (unless you specifically invoke a different protocol in your client).

As with other GET requests, a request with a query string will still be entered into your server's access log. If you're passing sensitive information via query strings, you'll need to have a strategy for how to securely handle these logs and other places that such data might be recorded.

AgentConundrum
  • 19,570
  • 6
  • 59
  • 99
0

No it is not secure. Your web site is still accessible from other machines which do have a url bar visible. Also, it doesn't require a web browser to start to manipulate GET or POST requests, there are programs, such as Fiddler that will allow someone to modify requests regardless of browser or how the data is submitted.

Using POST instead of GET makes it very slightly harder for an attacker to send you malicious data, it might stop a casual user experimenting with the url, but it doesn't stop it. Essentially client data cannot be trusted, you must validate it on the server. If you need to transmit sensitive data you should use HTTPS.

From Reluctance to trust

Instead of making assumptions that need to hold true, you should be reluctant to extend trust. Servers should be designed not to trust clients, and vice versa, since both clients and servers get hacked. A reluctance to trust can help with compartmentalization.

Steve
  • 6,914
  • 2
  • 27
  • 49
0

Good question. If the data is very sensitive, such as passwords, I wouldn't recommend using $_GET for the sole reason of people sniffing the wireless network can intercept the requested websites. Suppose a malicious user is sniffing all the web traffic on a network using a tool such as http://www.wireshark.org/, the password or other sensitive information will be simply displayed in the URL. Also, if the iOS App user were to find the URL by network sniffing, the user himself could change the data from his own browser by submitted customized HTTP requests. Consider using SSL or HTTPS to send data and avoid networking sniffing (to a certain extent).

You can look into alternatives such as using JSON: How to send json data in the Http request using NSURLRequest

Good luck

Community
  • 1
  • 1
user1530249
  • 997
  • 3
  • 17
  • 27
  • 1
    Someone sniffing the network will be able to see the data in a post request too. You need to use SSL to prevent traffic from being sniffed. – Steve Jan 12 '13 at 08:48
  • Hi Steve, Thanks for the point. I have changed my answer accordingly. – user1530249 Jan 12 '13 at 08:50
0

Do not use GET to transfer sensitive data, even if you are using SSL, because web servers usually log the GET URL with the query string (but not the POST body) in their access log files. See this answer, this answer, and this comment.

Here are some sample log records found on my testing web server (I'm using Apache)

127.0.0.1 - - [10/Jan/2013:14:50:57 +0800] "GET /Web/WebAPI.php?action=login&username=ttt&password=uuu HTTP/1.1" 200 380 "-" "Opera/9.80 (Windows NT 6.1) Presto/2.12.388 Version/12.12"
127.0.0.1 - - [10/Jan/2013:14:51:05 +0800] "GET /Web/WebAPI.php?action=logout HTTP/1.1" 200 87 "-" "Opera/9.80 (Windows NT 6.1) Presto/2.12.388 Version/12.12"
127.0.0.1 - - [12/Jan/2013:13:26:13 +0800] "GET /Web/WebAPI.php?action=login&username=ttt&password=uuu HTTP/1.1" 200 380 "-" "Opera/9.80 (Windows NT 6.1) Presto/2.12.388 Version/12.12"

Now the user's password got logged on the server in plain text. You don't want that, do you?

Community
  • 1
  • 1
Pang
  • 8,605
  • 144
  • 77
  • 113