Re: POST vs. GET

• To: "Robert S. Muhlestein" <robertm@teleport.com>, "David W. Morris" <dwm@shell.portal.com>
• Subject: Re: POST vs. GET
• From: Antonio Vasconcelos <vasco@bvl.pt>
• Date: Tue, 9 Jan 1996 18:34:09 GMT
• Cc: www-security@ns2.rutgers.edu

At 09:08 09-01-1996 -0800, Robert S. Muhlestein wrote:

>> > I'm only asking this because a few days ago I come into a situation where I
>> > had to use POST. I were happy until then with GET, but GET with TEXTAREA
>> > fields when going through a TIS firewall looks to be a "no-no".
>> > I don't know why but everything after the first &0D looks to be truncated
>> > somewhere in the way to the server. This includes the other lines that may
>> > exist in the TEXTAREA and _ANY_ other field that may appear after the
TEXTAREA.
>
>This may not have anything to do with the firewall at all.  How 
>would it, actually?  It could be associated with max size allowed for 
>QUERY_STRING (the env var used with method=GET). I believe this is why 
>method=POST is generally prefered for large amounts of data.  Sounds like 
>your data is simply getting truncated after QUERY_STRING maxes out.

I don't think so, because if I type "AEIOU" inside the TEXTAREA and _do_not_
press ENTER it works fine, but if I type "AEIOU"<ENTER> (or even "A"<ENTER>)
then all the rest is truncated. And, I if I'm working with an internal
server (some type of machine, same operating system, some server software)
GET works ok.
I'm sure that there's something wrong with that http-gw.

>> The only sensitive data implications I'm aware of are from the fact
>> that the GET URI encoded form data is generally logged in the
>> various server log files and also often appears in the URL/URI
>> window of the browser. I've used the term 'sensitive data' because
>> one can hardly consider a switch to POST 'secure' but data will be
>> less visable to unexpected observers.
>
>True.  Don't forget that QUERY_STRING is visible to anyone with shell
>access to the web server during the run of the CGI.  (Try a "ps -auxewwwww
>|fgrep QUERY_STRING" on any web server running frequent CGIs to see what I
>mean.) I believe this is really the reason POST is prefered.  STDIN is
>much harder to get at than the environment of the CGI.

I don't care much about that, 1st I don't have confidential info in this
machine, 2nd there is no login users (but myself) for me to worry about.
But, if POST is safer than GET... Well, I swich to POST, no problem.
regards,

Antonio Vasconcelos @ The Lisbon $tock Exchange
..........................................................
vasco@bvl.pt, vasco@individual.puug.pt, postmaster@bvl.pt,
webmaster@bvl.pt, http://www.bvl.pt:8080/~vasco
..........................................................
TEL: +351-1-790-9904            Bolsa de Valores de Lisboa
FAX: +351-1-795-2026            R. Soeiro Pereira Gomes
                                1600 LISBOA
http://www.bvl.pt/              PORTUGAL
..........................................................
 All opinions are my own, my employer thinks I'm working
..........................................................

• Re: POST vs. GET
• From: amonk <amonk@labyrinth.cftnet.com>

• Previous: Re: POST vs. GET
• Next: Re: POST vs. GET
• Index(es):
  • Index
  • Thread