[ic] disabling GET variables
Grant
emailgrant123b at yahoo.com
Sun Jun 13 12:18:24 EDT 2004
--- Jon Jensen <jon at endpoint.com> wrote:
> On Fri, 28 May 2004, Grant wrote:
>
> > I've been careful to not rely on any GET variables
> in
> > my catalog. Even so, I suppose the "id" variable
> is
> > still passed via GET if the user has cookies
> disabled.
> > Is doesn't seem like a numerical "mv_pc" would
> matter
> > because it's just an anti-cacher right? That
> leaves
> > the UI which has GETs all over the place.
> >
> > It seems like a security risk to allow users to
> modify
> > variables in the URL via GET. Should I not be
> worried
> > about this, or is there a way to keep that from
> > happening?
>
> You could play around with that if you want, but it
> certainly won't help
> your security any. Anything that comes from the user
> is not to be trusted,
> and that includes GET, POST, the HTTP headers
> including the URL, etc.
>
> Also, there are times that GET is nice, namely if
> you want to be able to
> bookmark something like particular query option. If
> you POST, the
> important stuff won't be in the URL and can't be
> bookmarked.
>
> Jon
Thanks for your response Jon. Sorry about my delayed
reply. I just got caught up on my mailing lists.
It sounds like what I'm suggesting would be a waste of
time. I'm basically trying to confine user input to
HTML forms. I'll look into this again later on.
- Grant
__________________________________
Do you Yahoo!?
Friends. Fun. Try the all-new Yahoo! Messenger.
http://messenger.yahoo.com/
More information about the interchange-users
mailing list