[ic] disabling GET variables

Grant emailgrant123b at yahoo.com
Sun Jun 13 12:18:24 EDT 2004

--- Jon Jensen <jon at endpoint.com> wrote:
> On Fri, 28 May 2004, Grant wrote:
> > I've been careful to not rely on any GET variables
> in
> > my catalog.  Even so, I suppose the "id" variable
> is
> > still passed via GET if the user has cookies
> disabled.
> >  Is doesn't seem like a numerical "mv_pc" would
> matter
> > because it's just an anti-cacher right?  That
> leaves
> > the UI which has GETs all over the place.
> > 
> > It seems like a security risk to allow users to
> modify
> > variables in the URL via GET.  Should I not be
> worried
> > about this, or is there a way to keep that from
> > happening?
> You could play around with that if you want, but it
> certainly won't help 
> your security any. Anything that comes from the user
> is not to be trusted, 
> and that includes GET, POST, the HTTP headers
> including the URL, etc.
> Also, there are times that GET is nice, namely if
> you want to be able to 
> bookmark something like particular query option. If
> you POST, the 
> important stuff won't be in the URL and can't be
> bookmarked.
> Jon

Thanks for your response Jon.  Sorry about my delayed
reply.  I just got caught up on my mailing lists.

It sounds like what I'm suggesting would be a waste of
time.  I'm basically trying to confine user input to
HTML forms.  I'll look into this again later on.

- Grant 

Do you Yahoo!?
Friends.  Fun.  Try the all-new Yahoo! Messenger.

More information about the interchange-users mailing list