Passing parameters in URL

John Bokma john at castleamber.com
Wed Feb 3 13:11:33 EST 2010 

Alan Harris-Reid <alan at baselinedata.co.uk> writes:

> I have a web-page where each row in a grid has edit/delete buttons to
> enable the user to maintain a selected record on another page.  The
> buttons are in the form of a link with href='/item_edit?id=123', but
> this string appears in the URL and gives clues as to how to bypass the
> correct sequence of events, and could be risky if they entered the URL
> directly (especially when it comes to deleting records).

You should *never* use a GET request to do actions like deleting
records. You already are aware of it being risky, so don't do this. You
should use GET for getting information, and POST for modifying information.

> Is there another way of passing a record-id to a method
> a) without it appearing in the URL?

Use a POST request. Note that the user still has to select something,
and that this information is send by the browser, and hence the user can
see this information (and maybe others), and repeat the action with, for
example, a Python program.

> b) without the user being able to fathom-out how to attach which id to
> which URL?

I am not sure what you want to prevent here. If you're afraid that user
A can delete things that belong user B, than "hiding" things or making
them "hard to guess" are not going to help much. If you have several
users, you must use some login procedure (and sessions).

> As each link contains row-id, I guess there is nothing to stop someone
> from getting the id from the page source-code.  Is it safe to use the
> above href method if I test for authorised credentials (user/password
> stored as session variables, perhaps?) before performing the
> edit/delete action?

Yes. But still make sure that session ids are not easy to guess, and
expire. And make very sure that session ids can't leak to others.

Moreover, each time you modify a database use POST. One could argue to
also use POST for logging out, otherwise another site might be able to
log your users out if they visit that site.

-- 
John Bokma                                                               j3b

Hacking & Hiking in Mexico -  http://johnbokma.com/
http://castleamber.com/ - Perl & Python Development

More information about the Python-list mailing list