CGI input: Filter dict.update() unwanted variables
Chris Angelico
rosuav at gmail.com
Tue Aug 23 04:24:39 EDT 2011
On Mon, Aug 22, 2011 at 4:39 PM, Miki Tebeka <miki.tebeka at gmail.com> wrote:
> You can check if there is a "non-allowed variable" and then return HTTP error.
> if set(form) - set(allowedVariables):
> print('Status: 406\n\n')
> raise SystemExit()
>
I'd be disinclined to do this; ignore unrecognized query variables,
but don't throw back an error. Sometimes it's convenient to let the
browser send a "junk header" that the server will ignore - helps with
integration with other systems. As long as you can be sure that the
script won't do the wrong thing, it should be fine to have an extra
bit of GET/POST data.
ChrisA
More information about the Python-list
mailing list