[Klone-users] GET/POST confused methods
Stefano Barbato
barbato at koanlogic.com
Fri Apr 11 07:57:58 EDT 2008
On 11/apr/08, at 10:37, Mickael Auger wrote:
> Hi Thomas
>
> Sorry. I do not agree, as CGI it should be possible to distinguish
> between the REQUEST_URI and POST data. In my example I showed the
> problem that if a user informs the variables in the URL (GET), then
> they take precedence over those reported in the form (if POST). This
> is a security hole a bit too easy.
> The current functionality corresponds to request method but I think
> that the current KLone version would have this functionality
> (distinct GET/POST method) as PHP, CGI ...
> For the 2.0.3 version ? :)
>
> Thank.
>
> --
> Mickaël AUGER
Hi Mickael,
GET and POST are just two methods to pass name/value variables from
the client to the http server. there are also at least two different
POST encodings: plain and multipart. they encode data in differently
way but the result is the same: they pass name/value pairs to the
server and you need to change your code to swap from a moethod to the
other.
I can't see any reason or advantage about knowing where those
variables are coming from, your application will work properly in any
way because KLone exports all variables in the same consistant way.
I don't think either that this is a security issue because form
variables are ALWAYS unsafe, the attacker can modify GET variables and
POST variables as he likes, the server has no control on that. to stay
safe the server must always validate user inputs before using it.
Am I missing something?
bye,
stefano
More information about the Klone-users
mailing list