Passing parameters in URL
Diez B. Roggisch
deets at nospam.web.de
Thu Feb 4 10:23:40 CET 2010
Am 04.02.10 03:52, schrieb Nobody:
> On Wed, 03 Feb 2010 14:09:07 -0800, Paul Rubin wrote:
>>> Also, your claim of it being more risky is simply nonsense. GET is a
>>> tiny bit more prone to tinkering by the average user. But calling this
>>> less risky is promoting security by obscurity, at most.
>> GET parameters also tend to get recorded in the http logs of web proxies
>> and web servers while POST parameters usually aren't.
> More significantly, they'll appear in the Referer: header for any link the
> user follows from the page, so they're visible to anyone who can get a
> link to their site onto the page (whether<a href=...>,<img src=...> or
> Even if this isn't possible at the moment, will you remember to fix it the
> first time you allow an off-site link?
> You should assume that anything which goes into a GET request is visible
> to the entire world. Don't put anything even remotely private in there.
You mean like
? Which is the key example for when to use GET - non-modifying queries.
I agree though that you have to be cautious about that, and using POST
makes it easier to do so.
More information about the Python-list