[Previous] [Next] [Index]
[Thread]
Re: POST vs. GET
On Mon, 8 Jan 1996, Antonio Vasconcelos wrote:
> Hi there.
>
> I've been waiting for some posts to come up in order to learn this mailing
> list 'modus operandus', but this looks to be a rather quiet place, so, I'm
> posting anyway. Pardon me if I'm doing something wrong.
>
> Ok, so my question is somewhat basic, but I couldn't find an answer by myself.
>
> >From a security point of view, is there any reason to use METHOD=GET instead
> of METHOD=POST when submiting forms ?
>
> I'm only asking this because a few days ago I come into a situation where I
> had to use POST. I were happy until then with GET, but GET with TEXTAREA
> fields when going through a TIS firewall looks to be a "no-no".
> I don't know why but everything after the first &0D looks to be truncated
> somewhere in the way to the server. This includes the other lines that may
> exist in the TEXTAREA and _ANY_ other field that may appear after the TEXTAREA.
The only sensitive data implications I'm aware of are from the fact
that the GET URI encoded form data is generally logged in the
various server log files and also often appears in the URL/URI
window of the browser. I've used the term 'sensitive data' because
one can hardly consider a switch to POST 'secure' but data will be
less visable to unexpected observers.
Secondly, there are apparently some browsers and also firewall
proxies or whatever which significantly limit the length of
the URI. Base on STML limits associated with HTML are are
element attribute value length limits.
Dave Morris
Follow-Ups:
References: