[Klone-users] GET/POST confused methods

Mickael Auger mickael.auger at gmail.com
Tue Apr 15 06:51:16 EDT 2008 

Hi Stefano,

> GET and POST are just two  methods to pass name/value variables from
> the client to the http server.  there are also at least two different
> POST encodings: plain and  multipart.  they encode data in differently
> way but the result is the same:  they pass name/value pairs to the
> server and you need to change  your code to swap from a method to the
>  other.

~ Ok.   <http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html#sec9.5>(see
also http://www.cs.tut.fi/~jkorpela/forms/methods.html<http://www.cs.tut.fi/%7Ejkorpela/forms/methods.html>)



> I can't see any reason or  advantage about knowing where those
> variables are coming from, your  application will work properly in any

> way because KLone exports all  variables in the same consistant way.

~ It's a part of the problem, it's a  constraint.

(See track_vars in PHP from version  4.0.3)



> I don't think either that this  is a security issue because form
> variables are ALWAYS unsafe,  the attacker can modify GET variables and
> POST variables as he likes, the  server has no control on that. to stay
> safe the server must always  validate user inputs before using it.
> Am I missing  something?


I take my previous example  :

=========================================

    <form
method="POST"  action="index.kl1?vara=getvara&varb=getvarb&send=Send">
        <input type="hidden"  name="vara" value="postvara" />
        <input type="hidden"  name="varb" value="postvarb" />
        <input type="submit"  name="send" value="Send" />
     </form>

=========================================




When my page is executed, the  values "vara" and "varb" are not correct :

  =========================================

     vara=getvara
     varb=getvarb
     send=Send

  =========================================


My form (=> HTTP method) is POST,  but the POST values have been overwritten
by the GET  values.
"request_get_method()" function return "3" (==POST) and "request_get_var()"
function return GET values. There is a contradiction.



Problem when  :

1) The action form (URI) OR (hidden)  post values are changed in
JavaScript  (client-side).


2) When action form are dynamically  set from externals sites (URI point to
my site).


3) This way is fully compatible with  proxy-cache ?
    <http://www.cs.tut.fi/%7Ejkorpela/forms/methods.html>

-- 
Mickaël AUGER
mickael.auger at gmail.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://koanlogic.com/pipermail/klone-users/attachments/20080415/91640dfd/attachment.htm

More information about the klone-users mailing list