[Web-SIG] Form field dictionaries
Simon Willison
cs1spw at bath.ac.uk
Fri Oct 24 19:12:45 EDT 2003
Bill Janssen wrote:
> Secondly, I don't think there's a need for separate GET and POST
> dictionaries -- there's only one kind of request at any one time, all
> you need is a REQUEST dictionary.
I'm a huge fan of being able to distinguish between that data from a
query string (GET data) and data that has been POSTed. I posted my
reasons for caring about this to the Quixote mailing list a few days
ago, but I'll repeat them here through the magic of copy and paste:
1. By differentiating between the two the same 'key' can be used twice.
For example, a form submiting to a page called 'forms?id=1' can itself
include an id attribute in the POST data without over-riding the id in
the URL
2. My rule of thumb is "only modify data on a POST" - that way there's
no chance of someone bookmarking a URL that updates a database (for
example).
3. It is useful to be able to detect if a form has been submitted or
not. In PHP, I frequently check for POSTed data and display a form if
none is available, assume the form has been submitted if there is.
4. Security. While ensuring data has come from POST rather than GET
provides absolutely no security against a serious intruder, it does
discourage amateurs from "hacking the URL" to see if they can cause any
damage. Security through obscurity admitedly, but it adds a bit of extra
peace of mind.
( From
http://mail.mems-exchange.org/pipermail/quixote-users/2003-October/002013.html
)
The 2nd point above is supported by this quote from the HTTP spec:
"""
In particular, the convention has been established that the GET and HEAD
methods SHOULD NOT have the significance of taking an action other than
retrieval. These methods ought to be considered "safe"
"""
http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html#sec9.1.1
If you don't know which bit of data came from GET and which came from
POST you have no way of ensuring that only POSTed data changes the
"state" of data on the server.
I accept that there is a great deal of convenience in only having to
look in one place for data from both POST and GET, which is why I
advocate a third dictionary (or dictionary like object) called something
like REQUEST which combines the data from the other two.
--
Simon Willison
Web development weblog: http://simon.incutio.com/
More information about the Web-SIG
mailing list