Passing parameters in URL
bruno.42.desthuilliers at websiteburo.invalid
Thu Feb 4 11:32:02 CET 2010
Alan Harris-Reid a écrit :
> I have a web-page where each row in a grid has edit/delete buttons to
> enable the user to maintain a selected record on another page. The
> buttons are in the form of a link with href='/item_edit?id=123', but
> this string appears in the URL and gives clues as to how to bypass the
> correct sequence of events, and could be risky if they entered the URL
> directly (especially when it comes to deleting records).
Basic HTTP stuff - this is definitely not Python-related.
Do yourself (and your users / customers / etc) a favor and read the HTTP
rfc. "GET" requests should NOT modify the server state. At least use
"POST" requests for anything that Create/Update/Delete resources.
For the record, someone once had serious problems with GET requests
deleting records - turned out to be a very bad idea when a robot started
following these links...
> Is there another way of passing a record-id to a method
> a) without it appearing in the URL?
> b) without the user being able to fathom-out how to attach which id to
> which URL?
Wrong solution. The correct solution is to
1/ make correct use of the request method (GET and POST at least).
2/ make sure the user performing the action has the permission to do it.
1/ won't protect your data from malicious users, but will at least avoid
2/ by checking the user's perms when handling the POST request of course
- not by hidding "forbidden" urls.
> As each link contains row-id, I guess there is nothing to stop someone
> from getting the id from the page source-code.
Nor even from trying any other id (brute-force attack).
> Is it safe to use the
> above href method if I test for authorised credentials (user/password
> stored as session variables, perhaps?) before performing the edit/delete
> I am currently using CherryPy 3.2, but I guess the theory could apply to
> any HTTP framework or web app..
More information about the Python-list