来源 php.net 评论区

-- nucc1

worth clarifying:

POST is not more secure than GET.

The reasons for choosing GET vs POST involve various factors such as intent of the request (are you "submitting" information?), the size of the request (there are limits to how long a URL can be, and GET parameters are sent in the URL), and how easily you want the Action to be shareable -- Example, Google Searches are GET because it makes it easy to copy and share the search query with someone else simply by sharing the URL.

Security is only a consideration here due to the fact that a GET is easier to share than a POST. Example: you don't want a password to be sent by GET, because the user might share the resulting URL and inadvertently expose their password.

However, a GET and a POST are equally easy to intercept by a well-placed malicious person if you don't deploy TLS/SSL to protect the network connection itself.

All Forms sent over HTTP (usually port 80) are insecure, and today (2017), there aren't many good reasons for a public website to not be using HTTPS (which is basically HTTP + Transport Layer Security).

As a bonus, if you use TLS  you minimise the risk of your users getting code (ADs) injected into your traffic that

--  Toasty_Pallate

It is worth noting that GET request parameters can be cached while POST request parameters are not. Meaning that if a password is GETted it is stored at various points on the way to the server (Your browser and anyone it's sharing info with, the people manning the firewall at the Org that is receiving the GET, the server logs, etc.)

While it is true that HTTPS encrypts the URL and GET request parameters, nothing guarantees that there is not a Web Application Firewall (that decrypts all traffic going into the Org for inspection) and is logging user info or that one will be implemented in the future at your org. Logs in plain-text are (hopefully) a LOT easier to compromise than a database of hashed passwords.

So if you're managing sensitive information, it's best to use POST.

随机推荐

  1. [題解]hdu_6412公共子序列

    https://blog.csdn.net/nka_kun/article/details/81902421 #include<bits/stdc++.h> #define ll long ...

  2. [译]Understanding ECMAScript6 基本知识

    基本知识 ECMAScript 6在ECMAScript 5之上做了大量的改变.一些改变很大,比如添加新的类型或者语法,而其它的非常小,提供了语言之上的渐进改进.这个章节包含了那些渐进改进,它们可能不 ...

  3. Python基础之collection

    collection-系列 cellection是作为字典.元组(列表与元组可互相转换)的扩充,在此需要导入cellection 一.计数器(counter) counter是对字典类型的补充,用户获 ...

  4. split命令:文件切割

    split命令:文件切割 有时候文件过大,导致不能正常使用,可以用split进行切割. 命令参数: split [选项] [要切割的文件] [输出文件名前缀] -a, --suffix-length= ...

  5. spring security 5 There is no PasswordEncoder mapped for the id "null" 错误

    转载请注明出处 http://www.cnblogs.com/majianming/p/7923604.html 最近在学习spring security,但是在设置客户端密码时,一直出现了一下错误提 ...

  6. Code First约定-数据注释

    通过实体框架Code First,可以使用您自己的域类表示 EF 执行查询.更改跟踪和更新函数所依赖的模型.Code First 利用称为“约定先于配置”的编程模式.这就是说,Code First 将 ...

  7. MVC验证注解(不包含自定义验证)

  8. 学习typescript(二)

    学习typescript(二) ts 与 js 交互 ts 调用 js module使用 分为两种情况: ts 调用自己写的 js ts 调用别人写的 js 也就通过 npm 安装的 第一种情况处理如 ...

  9. imageview加载本地和网络图片

    ImageView是Android程序中经常用到的组件,它将一个图片显示到屏幕上. 在UI xml定义一个ImageView如下: public void onCreate(Bundle savedI ...

  10. SQL根据出生日期精确计算年龄、获取日期中的年份、月份

    第一种: 一张人员信息表里有一人生日(Birthday)列,跟据这个列,算出该人员的年龄 datediff(year,birthday,getdate()) 例:birthday = '2003-3- ...