[Web-SIG] Form field dictionaries
David Fraser
davidf at sjsoft.com
Mon Oct 27 02:52:59 EST 2003
Gregory (Grisha) Trubetskoy wrote:
>On Fri, 24 Oct 2003, Simon Willison wrote:
>
>
>>2. My rule of thumb is "only modify data on a POST" - that way there's
>>no chance of someone bookmarking a URL that updates a database (for
>>example).
>>
>>
>I get upset at web pages that refuse to cooperate when I submit things via
>query strings.
>
>I think a reliable way to avoid accidental updates is to rely on a session
>mechanism; only modifying on POST only results in mild user annoyance
>IMHO.
>
>
>>3. It is useful to be able to detect if a form has been submitted or
>>not. In PHP, I frequently check for POSTed data and display a form if
>>none is available, assume the form has been submitted if there is.
>>
>>
>I don't like doing things like this because they rely on protocol
>internals to drive application logic...
>
>
>>4. Security. While ensuring data has come from POST rather than GET
>>provides absolutely no security against a serious intruder, it does
>>discourage amateurs from "hacking the URL" to see if they can cause any
>>damage. Security through obscurity admitedly, but it adds a bit of extra
>>peace of mind.
>>
>>
>Again, I don't agree; hackable URL's are a good thing! :-)
>
>And it is, indeed, security by obscurity. If you have good data
>validation, there should be no need for any obscurity.
>
>
Absolutely. And I really like the bookmarklet for Mozilla that lets you
transform all POST forms into Get forms so you can hack the URLs :-)
http://www.squarefree.com/bookmarklets/forms.html
David
More information about the Web-SIG
mailing list