Daniel Popowich
dpopowich at comcast.net
Fri Sep 3 18:38:30 EDT 2004
> This is security by obscurity. I would think making sure the values > passed into a function are safe is more important. The danger of > security by obscurity is it misleads you into not doing this kind of > checking... I fear I was not clear. I should never have used the word "secure." It should be understood that there is no difference, security-wise, between POST and GET. One is no more secure than the other. Every request, regardless of POST or GET should be validated before processing. My decision that mpservlets should not process "_call_" methods for the GET method was simply to obscure python code. I did not want users of a browser to something like this in their url: http://somehost.org/some/action?_call_get_user_info%28bob%29=Submit IMHO, this is just begging for attention. Anyway, I can see that some developers will want something like that and so I will add allowing it by setting an attribute to True. I'm keeping a list of feature requests and will be getting another release out this fall. Daniel Popowich ----------------------------------------------- http://home.comcast.net/~d.popowich/mpservlets/
|