Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:58046 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 73611 invoked from network); 24 Feb 2012 23:04:52 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 24 Feb 2012 23:04:52 -0000 Authentication-Results: pb1.pair.com smtp.mail=ronabop@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=ronabop@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 74.125.82.170 as permitted sender) X-PHP-List-Original-Sender: ronabop@gmail.com X-Host-Fingerprint: 74.125.82.170 mail-we0-f170.google.com Received: from [74.125.82.170] ([74.125.82.170:34788] helo=mail-we0-f170.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 21/62-17132-297184F4 for ; Fri, 24 Feb 2012 18:04:51 -0500 Received: by werm1 with SMTP id m1so2080537wer.29 for ; Fri, 24 Feb 2012 15:04:47 -0800 (PST) Received-SPF: pass (google.com: domain of ronabop@gmail.com designates 10.216.144.160 as permitted sender) client-ip=10.216.144.160; Authentication-Results: mr.google.com; spf=pass (google.com: domain of ronabop@gmail.com designates 10.216.144.160 as permitted sender) smtp.mail=ronabop@gmail.com; dkim=pass header.i=ronabop@gmail.com Received: from mr.google.com ([10.216.144.160]) by 10.216.144.160 with SMTP id n32mr2257881wej.30.1330124687954 (num_hops = 1); Fri, 24 Feb 2012 15:04:47 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=K1xpjsQxhOhIuhNLr0Z9C3nmggNQEvjrRFmTZGfxg6Q=; b=mN68mcZd/XZlUEjMOeuAbOY7hjVN5qZjJ2GdwtJ6ARr2oaHgDIsU/RcGU0pwLnumRq pgvffhEgB+ofITTQUVm8zb1dWCKdbpAUXN5Pb8C7c8fFAr0FCFi/9mWhvQLY2y9fhMd5 jsw2BSu/3tqmd3EkzFjFDH80gr153Y+JhjvqU= MIME-Version: 1.0 Received: by 10.216.144.160 with SMTP id n32mr1823995wej.30.1330124687828; Fri, 24 Feb 2012 15:04:47 -0800 (PST) Received: by 10.216.155.72 with HTTP; Fri, 24 Feb 2012 15:04:47 -0800 (PST) In-Reply-To: <4F48153C.7040406@garfieldtech.com> References: <8D8E9A0839FE464FBBDF2B499DAFA596@gmail.com> <88ad33db205558862288b3114ef4c391.squirrel@www.l-i-e.com> <4F480C5B.30606@garfieldtech.com> <96462fbc4e243e75b11b455624ac4140.squirrel@www.l-i-e.com> <4F4811E6.4050201@garfieldtech.com> <4F48153C.7040406@garfieldtech.com> Date: Fri, 24 Feb 2012 15:04:47 -0800 Message-ID: To: Larry Garfield Cc: internals@lists.php.net Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Subject: Re: [PHP-DEV] $_PARAMETERS Super Global Object From: ronabop@gmail.com (Ronald Chmara) On Fri, Feb 24, 2012 at 2:54 PM, Larry Garfield wr= ote: > On 2/24/12 4:48 PM, Ronald Chmara wrote: >> >> On Fri, Feb 24, 2012 at 2:40 PM, Larry Garfield >>> Except that per HTTP, GET and POST are completely different operations. >>> =A0One >>> is idempotent and cacheable, the other is not idempotent and not >>> cacheable. >>> =A0I very much care which someone is using. >> People exploiting security would *never* think of >> caching/replaying/modifying =A0a POST request, that's just totally >> unimaginable! It would take, like HUGE computational effort to like, >> cURL it or just type it out! >> er, no. > Please point out where I said that POST not a security risk. =A0I am quit= e > sure I typed no such thing, so how you read such a thing I do not know. = =A0I > am genuinely curious to see how you managed to interpret anything I said = as > "POST is secure because it won't be cached". Well, I didn't actually say that you said any such thing. I picked up on: "the other is not idempotent and not cacheable" ...which is obviously false, and I highlighted, in a security context, how POSTs are cached, and should be treated with equal distrust as GET, because both are suspect, user submitted, forms of data, subject to exploiting. -Ronabop