Re^4: CGI MySQL insert/update special characters

just to clarify: if you use GET even on HTTPS, the GET parameters, just like the url, will not be encrypted (unless already encrypted). But POST over HTTPS will send its parameters (even plain-text ones) using the negotiated secure channel, right?

Comment on Re^4: CGI MySQL insert/update special characters

Replies are listed 'Best First'.
Re^5: CGI MySQL insert/update special characters by hippo (Archbishop) on Mar 29, 2020 at 12:21 UTC
No, that's incorrect. With an https GET the entire URL is sent over the encrypted channel. That's why we need SNI to distinguish between vhosts on the server side.	[reply]
Re^6: CGI MySQL insert/update special characters by Your Mother (Archbishop) on Mar 29, 2020 at 18:07 UTC
Adding: URLs are often seen as nothing special though and end up in logs galore or visible to various intermediary software to forward/proxy/cache. I think they should/must always be kept free of any special information.	[reply]
Re^6: CGI MySQL insert/update special characters by bliako (Abbot) on Mar 29, 2020 at 14:48 UTC
understand thanks	[reply]
Re^5: CGI MySQL insert/update special characters by jcb (Parson) on Mar 30, 2020 at 01:26 UTC
If the client drives the use of a secure channel, either using TLS on port 443 or TLS upgrade on port 80, the entire request (including the URL) will be sent encrypted. If the server demands an upgrade to HTTP/TLS (RFCs define a way to do this on port 80) before responding, then the entire request (including the body of a POST(!)) will have been initially sent in plaintext and then be repeated encrypted after the TLS negotiation is performed. The bigger problem with putting login parameters in URLs is that URLs are generally assumed to not be sensitive and tend to get stored all over the place, including server logs and browser history.	[reply]