[Resolved] Is this Ok?

Sayian

Im creating a page to provide my site user's the ability to update their profile.

Now , the profile page edit.php is sending data to this page (update.php) as _GET information.

Is this OK ? I mean speaking , if a user had a profile that was 1000 word's long .. wouldnt that be alot of word's to pass to the browser as _GET information? Shouldnt this be Post? or am i wrong
Here is the code that takes the information from edit_profile.php and sends it to sql

<?

require_once('header.php');
$loc = $_GET['loc'];
$sig = $_GET['sig'];
$fname = $_GET['fname'];
$cpass = $_GET['cpass'];
$npass = $_GET['npass'];
$rpass = $_GET['rpass'];

mysql_query("UPDATE user SET location='$loc', sig='$sig', name='$fname' WHERE user='$user'");
$ro = mysql_fetch_array(mysql_query("SELECT * FROM user WHERE user = '$user'"));
if (md5($cpass) == $ro['pass']) {
  if ($rpass == $npass) {
    $pass = md5($npass);
    mysql_query("UPDATE user SET pass='$pass' WHERE user='$user'");
  }
}
header("Location: edit.php?note=Success, The account was updated successfully");
?>

bodzan

...not only that the data is somewhat hidden from user, but it is a bit harder to spoof (not hard at all for anybody that does some programming, but for John Doe user is hard enough)...

Also you have there paswords sending through the URL and that is waaay bad...

You should allways remember that input from a user can be intercepted when not submitted through a SSL line and therefore an extensive validity checking should take place on form processing page...

Hope this helps a bit...

If you really want to read about security of PHP please go here and most of your questions regarding this subject will be answered...