Passing parameters in URL

[Paul Rubin]

"Diez B. Roggisch" <deets at nospam.web.de> writes:
> Also, your claim of it being more risky is simply nonsense. GET is a
> tiny bit more prone to tinkering by the average user. But calling this
> less risky is promoting security by obscurity, at most.

GET parameters also tend to get recorded in the http logs of web proxies
and web servers while POST parameters usually aren't.  This was an
annoyance in a web chat package I fooled with for a while.  Because the
package sent user messages by GET, if I ran the software the way the
developers set it up, the contents of all the user conversations stayed
in my server logs.  I was unable to convince the chat package
maintainers that this was a bug.  I ended up doing some fairly kludgy
hack to prevent the logging.