Elevate Software

Login Login

ProductsBulletSalesBulletSupportBulletDownloadsBulletAbout



Home » Technical Support » Elevate Web Builder Technical Support » Support Forums » Elevate Web Builder General » View Thread

Icon View Thread

The following is the text of the current message along with any replies.
Messages 1 to 2 of 2 total
Thread PHP Question
Wed, Jan 3 2024 3:52 PMPermanent Link

Michael Saunders

I am looking at connecting to MYSQL using PHP  I notice that whilt the the $_GET works OK the  $_POST does not This maybe is  because the script is called from Javascript and not HTML  Is this correct and does it  present a security problem Note  I already access a REST service where the API key is sent as a parameter  so just wondering how they  would process it securly  Thanks in advance

eg PHP script

$username = $_POST['username'];
$password = $_POST['password'];

or

$username = $_GET['username'];
$password = $_GET['password'];
Wed, Jan 3 2024 6:12 PMPermanent Link

erickengelke

Avatar

Michael Saunders wrote:
>I am looking at connecting to MYSQL using PHP  I notice that whilt the the $_GET works OK
> the  $_POST does not

Since you are using PHP, you are likely using NGINX or Apache, I'm guessing.  And you can look at server logs to verify what I'm writing.

You handle the generic POST  parameters differently, they are passed in the TServerRequest.Content area and not on the URL line like GET's parameters are.

Parameters passed on the URL string (like GET does) are left in the HTTP Server logs because they are part of the URL string, so that makes them insecure on MOST systems including NGINX and Apache.

There are a couple of options on how to proceed.

It is possible (and often done) to pass the parameters in POST strategy like you suggest.  

It is also possible (and often done) to pass userid and password or password hash or OAuth token in the header strings.  This is often done in RESTful type services.

Some systems encrypt the password on the client machine with a single use time sensitive token generated by the server, and send the encrypted password over the SSL connection.  This is even safer than POST method, because it prevents sophisticated attacks.  

Some do the same thing but with Public Key encryption.

These last two solutions make the software even more secure than just POST because mere access to the server isn't enough to do an attack.

In the past I've done these, but now I mostly use SAML (Apache Mellon Module) with ADFS, that way we can integrate single signon, and the security problems are offloaded to a different IT group.

To answer your question, in most cases, you are just safe enough using the POST solution as long as you trust the server and everyone who has access to it.

Erick
EWB Programming Books and Nice Component Library
See my EWB BLOG posts, at:
http://www.erickengelke.com


This web page was last updated on
Monday, May 6, 2024 at 12:23 AM

Privacy PolicyBulletSite Map

© 2024 Elevate Software, Inc. All Rights Reserved
Questions or comments ? E-mail E-mail us at info@elevatesoft.com

Image