Re: POST in anchor tags?

Yes you can imbed a POST in a link, using JavaScript. Don't.

A POST is no more secure than a GET. You're still passing everything in plain text. The only difference is that POST is allowed to have side effects (changing data on a machine) and GET is not (getting a webpage). What you need is https, using SSL. Merlyn's Web Techniques column should be useful (especially the one on cookies) as well as Ovid's CGI course is very thorough in his treatment of security.

And, as always, study prior art. Sourceforge has several similar projects, see what they are doing about security, and do more.

Good luck

Cheers,
Erik

Comment on Re: POST in anchor tags?

Replies are listed 'Best First'.
Re: Re: POST in anchor tags? by dug (Chaplain) on May 14, 2002 at 18:50 UTC
The only difference is that POST is allowed to have side effects (changing data on a machine) and GET is not (getting a webpage). This is actually a little bit misleading. The difference between a GET an a POST is actually how the data is passed to the server, not how that data is interperated/used on the server. GET requests pass data along in the form of a query string appended to the uri. POST requests pass data along inline (can't think of a better word) with the HTTP request. GET requests have limitations to the size of the query string (varying from browser to browser and server to server), with the http 1.1 spec warning servers about handling uris longer than 255 bytes. I'm not aware of any limitation in size for POST requests. Any cgi script with sufficient system access can change data on the machine it runs on regardles the request type. That said, yours was a resourceful post with great links. Dug	[reply]
Re: Re: Re: POST in anchor tags? by erikharrison (Deacon) on May 15, 2002 at 23:57 UTC
You are correct, of course. However, my point was to the reason for the different methods. Cheers, Erik	[reply]
Re: Re: POST in anchor tags? by Joost (Canon) on May 15, 2002 at 11:24 UTC
You're right about the security issues and side-effects, I've written a small introduction to server-side programming that also explains this at: the difference between GET and POST `-- Joost downtime n. The period during which a system is error-free and immune from user input.` [download]	[reply] [d/l]
Re: Re: POST in anchor tags? by Triscuit (Initiate) on May 14, 2002 at 21:54 UTC
Hey, thanks guys. My security concerns at the MOMENT are simply that as i've got it now, the password is plainly visible to anyone who looks at the browser history, or even walks by the machine while its logged in. I'll definitely take a look at those links though. If for no other reason than to see that little padlock in the status bar :D. And thanks for clearin up the whole "POST/GET" thing, thats been confusing me. thanks again for your help -William	[reply]
Re: Re: Re: POST in anchor tags? by erikharrison (Deacon) on May 16, 2002 at 00:01 UTC
One of the basic principles of Web Security is "don't trust the browser". For example, don't trust that the browser won't cache a POST request. In fact, major browsers DO cache POST requests - note that if you press the BACK button to a POSTed page, they give you the option of reposting form data. Cheers, Erik	[reply]