Website safety help request

[denzil]

Hello. I'd like some help from someone experienced with technical details behind html Post and Get methods.

Currently my website has user groups with different privilege levels. These privilege levels determine what a user will or won't be able to do. This is stored with other user information in a mysql database.

My first instinct was to read the privilege level from my database on every page that requires authentication. There are only a few, but they will most likely be visited successively. So I thought about passing this privilege level on via a form from one page to the next to reduce sql server load. I obviously can't use method GET, as users could just modify their level in the URL and cause some havoc. So I was hoping method POST would do the trick.

Bottom line if you don't want to read any of the above:
I basically just want to know if method POST is completely safe against potentially malicious users, and that they won't be able to alter anything I want to pass from one page to the next if I use method POST in my forms.

[lemon-tree]

Absolutely do not do this, POST data is essentially just as easy for someone to replace as GET data is, either through editing the page content or through custom headers. If you want to store user data, look into using the $_SESSION variables, any data stored here does not leave the server but does persist for the session between page reloads (Although it does have it's detriments with session hijacking).
Realistically, the MySQL server is quick enough to handle the requests anyway without the need to cache between the pages.

[denzil]

Thanks a lot. I suppose I could make PHP objects too as they will just reside on the server? But comes down to the same thing as using session variables. Thanks

edit: or I'll just leave it as it is with sql on every page