generating method names 'dynamically'

Daniel Nogradi nogradi at
Fri Jan 27 11:42:04 EST 2006

> Ouch! This certainly seems like a possible security hole!
> As someone else said, use rewrite rules to get this passed
> in as a parameter.

I don't get it, why is it more safe to accept GET variables than
method names? Concretely, why is the URL safer than if in both cases exactly the
same things are happening with 'parameter'? It has to be checked in
both cases, characters like ', ", /, \, etc, has to be stripped and
than it will be fed into the same SQL query. So either way, I have to
implement some checking mechanism, what difference does it make if the
result of the checking is fed into a function as an argument and the
SQL query receives it that way, or a method of a class is called by
the name 'parameter' and the SQL query receives it as a reference to
the method name?

More information about the Python-list mailing list