Forum Moderators: coopster
[php.net...]
But if you mean can you encrypt a URL and have it remain recognizable to a user's browser without first decrypting it, then no.
Encrypt
www.mypage.com/login.php?action#log=true
I see this alot on websites i was finkin of incoporating it into my site's url.
http://www.google.com/search?q=php+get+versus+post [google.com]
Or do you mean the substitution of # for &? That can be done using mod rewrite:
http://www.google.com/search?q=mod_rewrite+tutorial [google.com]
www.example.com/login.php?action#log=trueI see this alot on websites i was finkin of incoporating it into my site's url.
You may see it a lot, but it's not the "most graceful solution" and it's not "SEO friendly" or user friendly. It is also, in many cases, a dent in security.
One has to ask "why" you want to "start implementing it on your site." Most of us (well, me anyway) make efforts to eliminate query strings in lieu of creating more SEO and user friendly URL's.
The following comments also refer to your previous thread [webmasterworld.com], as I get the impression you are still puzzling over the same question.
When you post a form without an action or action GET, you will get what you have there, a query string. Various things can be gleaned from that simple query string:
- you are passing input action to login.php which performs some function in the program.
- you are passing a fragment identifier anchor log with a value of true that performs some function in the program.
A hacker can conjecture that these inputs have some vital function in the program, so he/she can start doing things with those inputs just to "see what happens". These are in effect "clues" for a hacker, little bits of info that can be used as a starting point for injecting malicious data to your site. Per the previous thread, as mentioned, PHP is not insecure, it's how it's implemented that makes it insecure. Although minor points of entry, these are two entry points that can be eliminated.
There are a number of ways to eliminate dependence on query strings and the subsequent problems they can cause you. You start by using the method post in all your forms, which does not result in a query string. Second, you can use session variables and other methods to carry around vital program variables, and can implement mod_rewrite with .htaccess so you get
www.example.com/user-login
instead of
www.example.com/login.php
Which reveals not only the technology of your site, but also the location of your script.
If you discuss security in respect to get and post, the truth is post is actually less secure only in that it can accept a larger chunk of input data. Get is restricted to a smaller length - can't recall what the parameters are, but I know it's less than post.
Thank you for clarifying, I've forgotten more than a lot of people know. :-) After a bit of research, here's a doc from Boutell.com, which should probably fly, Thomas Boutell is one of the "founding fathers" in web tech along with Lincoln Stein . . . if he's not an authority, oh well.
maximum length of a URL [boutell.com]
What can be gleaned here, and from the RFC, is that in spite of browser or server, a long query string is unreliable at best.
