[ic] disabling GET variables
Jon Jensen
jon at endpoint.com
Fri May 28 18:40:20 EDT 2004
On Fri, 28 May 2004, Grant wrote:
> I've been careful to not rely on any GET variables in
> my catalog. Even so, I suppose the "id" variable is
> still passed via GET if the user has cookies disabled.
> Is doesn't seem like a numerical "mv_pc" would matter
> because it's just an anti-cacher right? That leaves
> the UI which has GETs all over the place.
>
> It seems like a security risk to allow users to modify
> variables in the URL via GET. Should I not be worried
> about this, or is there a way to keep that from
> happening?
You could play around with that if you want, but it certainly won't help
your security any. Anything that comes from the user is not to be trusted,
and that includes GET, POST, the HTTP headers including the URL, etc.
Also, there are times that GET is nice, namely if you want to be able to
bookmark something like particular query option. If you POST, the
important stuff won't be in the URL and can't be bookmarked.
Jon
More information about the interchange-users
mailing list