来源 php.net 评论区

-- nucc1

worth clarifying:

POST is not more secure than GET.

The reasons for choosing GET vs POST involve various factors such as intent of the request (are you "submitting" information?), the size of the request (there are limits to how long a URL can be, and GET parameters are sent in the URL), and how easily you want the Action to be shareable -- Example, Google Searches are GET because it makes it easy to copy and share the search query with someone else simply by sharing the URL.

Security is only a consideration here due to the fact that a GET is easier to share than a POST. Example: you don't want a password to be sent by GET, because the user might share the resulting URL and inadvertently expose their password.

However, a GET and a POST are equally easy to intercept by a well-placed malicious person if you don't deploy TLS/SSL to protect the network connection itself.

All Forms sent over HTTP (usually port 80) are insecure, and today (2017), there aren't many good reasons for a public website to not be using HTTPS (which is basically HTTP + Transport Layer Security).

As a bonus, if you use TLS  you minimise the risk of your users getting code (ADs) injected into your traffic that

--  Toasty_Pallate

It is worth noting that GET request parameters can be cached while POST request parameters are not. Meaning that if a password is GETted it is stored at various points on the way to the server (Your browser and anyone it's sharing info with, the people manning the firewall at the Org that is receiving the GET, the server logs, etc.)

While it is true that HTTPS encrypts the URL and GET request parameters, nothing guarantees that there is not a Web Application Firewall (that decrypts all traffic going into the Org for inspection) and is logging user info or that one will be implemented in the future at your org. Logs in plain-text are (hopefully) a LOT easier to compromise than a database of hashed passwords.

So if you're managing sensitive information, it's best to use POST.

随机推荐

  1. Access restriction: The type 'JPEGCodec' is not API

    问题 今天导入项目时Eclipse报错如下: Access restriction: The type 'JPEGCodec' is not API (restriction on required ...

  2. JavaScript 中的面向对象编程

    使用JSON 来定义一个对象: <script type="text/javascript">var xiaoming = { name : 'xiaoming', a ...

  3. javascript高级程序设计学习笔记

    javascript高级程序设计,当枕头书已经好久了~zz  现在觉得自己在js的开发上遇到了一些瓶颈,归根究底还是基础太薄弱,所以重新刷一遍js高程希望有更新的认识. 一.javascript简介 ...

  4. python中的计时器:timeit模块

    python中的计时器:timeit模块 (1) timeit - 通常在一段程序的前后都用上time.time()然后进行相减就可以得到一段程序的运行时间,不过python提供了更强大的计时库:ti ...

  5. Codeforces Round #547 (Div. 3) B.Maximal Continuous Rest

    链接:https://codeforces.com/contest/1141/problem/B 题意: 给n个数,0代表工作,1代表休息,求能连续最大的休息长度. 可以连接首尾. 思路: 求普通连续 ...

  6. LIS的简单应用:UVA-437

    上一次紫芝详细地介绍了动态规划中的经典问题LIS,今天我们抽出一个类似思想的简单题目进行实践练习. The Tower of Babylon(巴比伦塔) Perhaps you have heard ...

  7. linux系统下安装Git

    Git(读音为/gɪt/.)是一个开源的分布式版本控制系统,可以有效.高速地处理从很小到非常大的项目版本管理.而国外的GitHub和国内的Coding都是项目的托管平台.Git 是 Linus Tor ...

  8. siege官方文档(译)(二)

    WHY DO I NEED IT? Siege was written for both web developers and web systems administrators. siege是为了 ...

  9. CentOS Linux 搭建 SVN(CollabNet Subversion)服务器

    安装CollabNet Subversion之前必须先安装JDK1.6和python2.4 ~ 2.6 groupadd svn useradd -g svn svnuser  passwd svnu ...

  10. 关于foreach的一个BUG

    foreach用起来比for更方便,但是foreach隐藏的操作,可能带来更多未知的BUG,今天就遇到一个问题.编程环境VS2010 //使用foreach遍历,其中未改变item的值,但是使用了匿名 ...