[Web-SIG] Form field dictionaries

Gregory (Grisha) Trubetskoy grisha at modpython.org
Fri Oct 24 22:10:04 EDT 2003

On Fri, 24 Oct 2003, Simon Willison wrote:

> 2. My rule of thumb is "only modify data on a POST" - that way there's
> no chance of someone bookmarking a URL that updates a database (for
> example).

I get upset at web pages that refuse to cooperate when I submit things via
query strings.

I think a reliable way to avoid accidental updates is to rely on a session
mechanism; only modifying on POST only results in mild user annoyance

> 3. It is useful to be able to detect if a form has been submitted or
> not. In PHP, I frequently check for POSTed data and display a form if
> none is available, assume the form has been submitted if there is.

I don't like doing things like this because they rely on protocol
internals to drive application logic...

> 4. Security. While ensuring data has come from POST rather than GET
> provides absolutely no security against a serious intruder, it does
> discourage amateurs from "hacking the URL" to see if they can cause any
> damage. Security through obscurity admitedly, but it adds a bit of extra
> peace of mind.

Again, I don't agree; hackable URL's are a good thing! :-)

And it is, indeed, security by obscurity. If you have good data
validation, there should be no need for any obscurity.


More information about the Web-SIG mailing list