|
Jim Dabell
jim-mod-python at jimdabell.com
Fri Sep 3 22:09:52 EDT 2004
On Friday 03 September 2004 20:35, David Fraser wrote: > This is security by obscurity. I would think making sure the values > passed into a function are safe is more important. The danger of > security by obscurity is it misleads you into not doing this kind of > checking... > I *love* being able to pass GET variables into functions in other > peoples programs ... it means web programs are easier to interact with. > Just this week I wrote a script to search for flights on top of an > airline's website ... it saved me a lot of time Actually, there is a security aspect to removing the ability to use query string parameters in place of POST variables. An attacker who can induce somebody to visit a page they created can cause the user to automatically call these functions by simply using something like: <img src="http://www.example.com/script?deletesomething=true"> As it will be the user who is executing this function, the only clue you have to "making sure the values passed into a function are safe" is that it was submitted via query string parameters and not POST variables. If you don't use the query string parameters when you are expecting POST variables, then your users are not susceptible to this form of attack. -- Jim Dabell
|