Login ProductsSalesSupportDownloadsAbout |
Home » Technical Support » Elevate Web Builder Technical Support » Support Forums » Elevate Web Builder General » View Thread |
Messages 1 to 2 of 2 total |
PHP Question |
Wed, Jan 3 2024 3:52 PM | Permanent Link |
Michael Saunders | I am looking at connecting to MYSQL using PHP I notice that whilt the the $_GET works OK the $_POST does not This maybe is because the script is called from Javascript and not HTML Is this correct and does it present a security problem Note I already access a REST service where the API key is sent as a parameter so just wondering how they would process it securly Thanks in advance
eg PHP script $username = $_POST['username']; $password = $_POST['password']; or $username = $_GET['username']; $password = $_GET['password']; |
Wed, Jan 3 2024 6:12 PM | Permanent Link |
erickengelke | Michael Saunders wrote:
>I am looking at connecting to MYSQL using PHP I notice that whilt the the $_GET works OK > the $_POST does not Since you are using PHP, you are likely using NGINX or Apache, I'm guessing. And you can look at server logs to verify what I'm writing. You handle the generic POST parameters differently, they are passed in the TServerRequest.Content area and not on the URL line like GET's parameters are. Parameters passed on the URL string (like GET does) are left in the HTTP Server logs because they are part of the URL string, so that makes them insecure on MOST systems including NGINX and Apache. There are a couple of options on how to proceed. It is possible (and often done) to pass the parameters in POST strategy like you suggest. It is also possible (and often done) to pass userid and password or password hash or OAuth token in the header strings. This is often done in RESTful type services. Some systems encrypt the password on the client machine with a single use time sensitive token generated by the server, and send the encrypted password over the SSL connection. This is even safer than POST method, because it prevents sophisticated attacks. Some do the same thing but with Public Key encryption. These last two solutions make the software even more secure than just POST because mere access to the server isn't enough to do an attack. In the past I've done these, but now I mostly use SAML (Apache Mellon Module) with ADFS, that way we can integrate single signon, and the security problems are offloaded to a different IT group. To answer your question, in most cases, you are just safe enough using the POST solution as long as you trust the server and everyone who has access to it. Erick EWB Programming Books and Nice Component Library See my EWB BLOG posts, at: http://www.erickengelke.com |
This web page was last updated on Wednesday, August 14, 2024 at 02:26 AM | Privacy PolicySite Map © 2024 Elevate Software, Inc. All Rights Reserved Questions or comments ? E-mail us at info@elevatesoft.com |