Passing parameters in URL

Diez B. Roggisch deets at nospam.web.de
Wed Feb 3 23:04:31 CET 2010


Am 03.02.10 19:11, schrieb John Bokma:
> Alan Harris-Reid<alan at baselinedata.co.uk>  writes:
>
>> I have a web-page where each row in a grid has edit/delete buttons to
>> enable the user to maintain a selected record on another page.  The
>> buttons are in the form of a link with href='/item_edit?id=123', but
>> this string appears in the URL and gives clues as to how to bypass the
>> correct sequence of events, and could be risky if they entered the URL
>> directly (especially when it comes to deleting records).
>
> You should *never* use a GET request to do actions like deleting
> records. You already are aware of it being risky, so don't do this. You
> should use GET for getting information, and POST for modifying information.

You should *never* say never, because there might be situations where 
exceptions from rules are valid. This is one such cases. Making this a 
post means that you need to resort to javascript to populate & submit a 
hidden HTML-form. Just for the sake of a POST.

And there are people who say "you should *never* write web-apps that 
only work with enabled javascript"... catch 22.

Also, your claim of it being more risky is simply nonsense. GET is a 
tiny bit more prone to tinkering by the average user. But calling this 
less risky is promoting security by obscurity, at most.

Diez




More information about the Python-list mailing list