When you are talking about security there are several levels. Using GET or POST will most likely not be a live or dead type of choice, but its definitly usefull to make a distinction between the two.
As the name suggests, GET
is ment to retrieve information and POST
is used to send information. If you keep that in mind, it's not that hard to know what method to use.
In your case a user is POSTING a new message to a message board. So POST
would be the right answer. The reason a POST
is more secure for this, is that it always requires a specific action from the user or javascript. I cannot just send you a link via email and directly make you post a new message.
If I would use GET
I could send you a link like http://www.example.com/postmessage.php?message=post%20me and if you click it, you would post it.
Now if your message board is secured with a username password, and you are logged in, I have posted on your behalve with the GET
request and nobody would know it wasnt realy you. So that is a potential security risk.
Now if I send you a mail with a link, you still need to click it. But consider I would be allowed to post images on that same message forum. I could post an image as myself like <img src='/postmessage.php?message=post%20me' width='0' height='0'/>
and every user that visits my post would also post that message, since your/their browser tries to GET
the image and I have again posted on your behalf.
Now if I could post javascript, I obviously could also make a POST request. But posting javascript is a lot less common.
Another side effect of GET
request is that searchengines would also spider this and would potentially create messages aswell.
And last: A get request is limited. If you want to post a large message, you would need post. See What is the maximum possible length of a query string? for a lot of detail about the query string length. You would reach the maximum quickly with GET
.
Now all these security issues cannot just be solved by using POST
instead of GET
and would require some more effort on the serverside code. But the first step is to use the proper method.