[Web-SIG] Form field dictionaries
Gregory (Grisha) Trubetskoy
grisha at modpython.org
Fri Oct 24 22:10:04 EDT 2003
On Fri, 24 Oct 2003, Simon Willison wrote:
> 2. My rule of thumb is "only modify data on a POST" - that way there's
> no chance of someone bookmarking a URL that updates a database (for
> example).
I get upset at web pages that refuse to cooperate when I submit things via
query strings.
I think a reliable way to avoid accidental updates is to rely on a session
mechanism; only modifying on POST only results in mild user annoyance
IMHO.
> 3. It is useful to be able to detect if a form has been submitted or
> not. In PHP, I frequently check for POSTed data and display a form if
> none is available, assume the form has been submitted if there is.
I don't like doing things like this because they rely on protocol
internals to drive application logic...
> 4. Security. While ensuring data has come from POST rather than GET
> provides absolutely no security against a serious intruder, it does
> discourage amateurs from "hacking the URL" to see if they can cause any
> damage. Security through obscurity admitedly, but it adds a bit of extra
> peace of mind.
Again, I don't agree; hackable URL's are a good thing! :-)
And it is, indeed, security by obscurity. If you have good data
validation, there should be no need for any obscurity.
Grisha
More information about the Web-SIG
mailing list