Passing parameters in URL

Paul Rubin no.email at nospam.invalid
Thu Feb 4 11:32:01 CET 2010


Bruno Desthuilliers <bruno.42.desthuilliers at websiteburo.invalid> writes:
>> The buttons are in the form of a link with href='/item_edit?id=123',
> ...At least use "POST" requests for anything that Create/Update/Delete
> resources.

There's also the issue that a user can change "123" to "125" and
possibly mess with someone else's resource, unless you use some server
side authentication.  Or just seeing how often the numbers change could
reveal patterns about what other users are doing.  I always think it's
best to encrypt anything sensitive like that, to avoid leaking any info.



More information about the Python-list mailing list