Passing parameters in URL

Bruno Desthuilliers bruno.42.desthuilliers at websiteburo.invalid
Thu Feb 4 11:32:02 CET 2010

Alan Harris-Reid a écrit :
> I have a web-page where each row in a grid has edit/delete buttons to 
> enable the user to maintain a selected record on another page.  The 
> buttons are in the form of a link with href='/item_edit?id=123', but 
> this string appears in the URL and gives clues as to how to bypass the 
> correct sequence of events, and could be risky if they entered the URL 
> directly (especially when it comes to deleting records).

Basic HTTP stuff - this is definitely not Python-related.
Do yourself (and your users / customers / etc) a favor and read the HTTP 
rfc. "GET" requests should NOT modify the server state. At least use 
"POST" requests for anything that Create/Update/Delete resources.

For the record, someone once had serious problems with GET requests 
deleting records - turned out to be a very bad idea when a robot started 
following these links...

> Is there another way of passing a record-id to a method



> a) without it appearing in the URL?
> b) without the user being able to fathom-out how to attach which id to 
> which URL?

Wrong solution. The correct solution is to
1/ make correct use of the request method (GET and POST at least).
2/ make sure the user performing the action has the permission to do it.

1/ won't protect your data from malicious users, but will at least avoid 
accidental mistakes.

2/ by checking the user's perms when handling the POST request of course 
- not by hidding "forbidden" urls.

> As each link contains row-id, I guess there is nothing to stop someone 
> from getting the id from the page source-code.

Nor even from trying any other id (brute-force attack).

>  Is it safe to use the 
> above href method if I test for authorised credentials (user/password 
> stored as session variables, perhaps?) before performing the edit/delete 
> action?

cf above.

> I am currently using CherryPy 3.2, but I guess the theory could apply to 
> any HTTP framework or web app..


More information about the Python-list mailing list