[Web-SIG] Form field dictionaries

Simon Willison cs1spw at bath.ac.uk
Fri Oct 24 19:12:45 EDT 2003 

Bill Janssen wrote:
> Secondly, I don't think there's a need for separate GET and POST
> dictionaries -- there's only one kind of request at any one time, all
> you need is a REQUEST dictionary.

I'm a huge fan of being able to distinguish between that data from a 
query string (GET data) and data that has been POSTed. I posted my 
reasons for caring about this to the Quixote mailing list a few days 
ago, but I'll repeat them here through the magic of copy and paste:

1. By differentiating between the two the same 'key' can be used twice.
For example, a form submiting to a page called 'forms?id=1' can itself
include an id attribute in the POST data without over-riding the id in
the URL

2. My rule of thumb is "only modify data on a POST" - that way there's
no chance of someone bookmarking a URL that updates a database (for
example).

3. It is useful to be able to detect if a form has been submitted or
not. In PHP, I frequently check for POSTed data and display a form if
none is available, assume the form has been submitted if there is.

4. Security. While ensuring data has come from POST rather than GET
provides absolutely no security against a serious intruder, it does 
discourage amateurs from "hacking the URL" to see if they can cause any 
damage. Security through obscurity admitedly, but it adds a bit of extra 
peace of mind.

( From 
http://mail.mems-exchange.org/pipermail/quixote-users/2003-October/002013.html 
)

The 2nd point above is supported by this quote from the HTTP spec:

"""
In particular, the convention has been established that the GET and HEAD
methods SHOULD NOT have the significance of taking an action other than
retrieval. These methods ought to be considered "safe"
"""

http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html#sec9.1.1

If you don't know which bit of data came from GET and which came from 
POST you have no way of ensuring that only POSTed data changes the 
"state" of data on the server.

I accept that there is a great deal of convenience in only having to 
look in one place for data from both POST and GET, which is why I 
advocate a third dictionary (or dictionary like object) called something 
like REQUEST which combines the data from the other two.

-- 
Simon Willison
Web development weblog: http://simon.incutio.com/

More information about the Web-SIG mailing list