CGI: POST and GET
John La Rooy
nospampls.jlr at doctor.com
Mon Feb 10 18:13:10 EST 2003
On Mon, 10 Feb 2003 13:46:03 -0600
sik0fewl <xxdigitalhellxx at hotmail.com> wrote:
> empty wrote:
> > William <wilk-spamout at flibuste.net> wrote in message news:<873cmxx29p.fsf at flibuste.net>...
> >
> >>printf_nemesis at hotmail.com (empty) writes:
> >>
> >>
> >>>Is it possible to retrieve specifically POST or GET method information
> >>>? Does cgi.FieldStorage() have a method for that ? And if its not
> >>>possible, thats a big security issue, any other form of security ?
> >>
> >>I think if you change the argument of FieldStorage, you can skip GET or
> >>POST.
> >>But why do you say it's a security issue ?
> >>
> >
> >
> > Because, it allows crackers to pass data that was not intended to be
> > able other then through form ones, which might allow variables which
> > may be illdefined to make the script do unfreindly things, its more of
> > an issue in PHP because of SuperGlobals though..
>
> I wouldn't rely on POST any more than GET, POST requests can still be
> faked by anyone who is seriously trying to hack into your server.
>
> --
>
> Ryan
>
Except *anyone* who notices the stuff after the '?' in the URL can tinker
with a GET request. To do so with a POST requires - relatively speaking -
a lot more work. Especially for a non-programmer. From a security point of
view it makes no difference though - insecure is insecure.
Also, when a user prints a page, some browsers will put the entire URL on
the page somewhere. I have seen a case of this from my sister's work. Her
password and login were printed on the page as part of the URL!
John
More information about the Python-list
mailing list