Are Form variables more secure?
I had recently asked Mr Raymond Camden for his opinion on wether form variables would be more secure than URL due to a request at work. I have attached a word doc detailing this issue and ways to solve it. I have asked around and used several quotes and opinions. Overall, here is a summary:
The cost of changing all interaction to form submittals is not monumental, but it will be consuming. All developers will need to change their URL links to JavaScript in order to submit requests. Although it is not a monumental task, IT WILL produce more work without actually getting the real security benefit. Form variables will not protect the application or discourage anybody to mess with the application. The real security implementations need to be performed in server-side validation and used in conjunction with tools provided by ColdFusion and the Database. A first rule of validation should be not to trust either FORM or URL variables; they should always be validated. It is the role of the developer to protect the database and its contents, no matter if you are using a POST or a GET.