generating method names 'dynamically'
Daniel Nogradi
nogradi at gmail.com
Fri Jan 27 11:42:04 EST 2006
> Ouch! This certainly seems like a possible security hole!
>
> As someone else said, use rewrite rules to get this passed
> in as a parameter.
I don't get it, why is it more safe to accept GET variables than
method names? Concretely, why is the URL
http://something.com/script?q=parameter safer than
http://something.com/script/parameter if in both cases exactly the
same things are happening with 'parameter'? It has to be checked in
both cases, characters like ', ", /, \, etc, has to be stripped and
than it will be fed into the same SQL query. So either way, I have to
implement some checking mechanism, what difference does it make if the
result of the checking is fed into a function as an argument and the
SQL query receives it that way, or a method of a class is called by
the name 'parameter' and the SQL query receives it as a reference to
the method name?
More information about the Python-list
mailing list