[Klone-users] GET/POST confused methods

Stefano Barbato barbato at koanlogic.com
Wed Apr 16 11:20:57 EDT 2008 

Hi Mickael,

On 15/apr/08, at 12:51, Mickael Auger wrote:
> > I don't think either that this  is a security issue because form
> > variables are ALWAYS unsafe,  the attacker can modify GET  
> variables and
> > POST variables as he likes, the  server has no control on that. to  
> stay
> > safe the server must always  validate user inputs before using it.
> > Am I missing  something?
>
>
> I take my previous example  :
>
> =========================================
>
>     <form method="POST"  action="index.kl1? 
> vara=getvara&varb=getvarb&send=Send">
>         <input type="hidden"  name="vara" value="postvara" />
>         <input type="hidden"  name="varb" value="postvarb" />
>         <input type="submit"  name="send" value="Send" />
>      </form>
>
> =========================================
>
>
>
>
> When my page is executed, the  values "vara" and "varb" are not  
> correct :
>
>   =========================================
>
>      vara=getvara
>      varb=getvarb
>      send=Send
>
>   =========================================

>
> My form (=> HTTP method) is POST,  but the POST values have been  
> overwritten by the GET  values.
> "request_get_method()" function return "3" (==POST) and  
> "request_get_var()" function return GET values. There is a  
> contradiction.

oh wait, the "get" word from request_get_var() means "retrieve", it  
doesn't mean "let me read the var passed by the GET method" :)

on new request KLone mixes varibles read in the URL (GET method) and  
those passed using POST; the result is one single array readable using  
the request_get_var() function (and friends).

you say that the result is not correct because GET variables override  
POST variables in your example but I think we cannot say that it is  
correct or not because it's something that's not covered by the  
standard at all (or at least I wan't able to find any references about  
that).

my point is that it's better to totally ignore the method used to send  
variables to the server and just focus on how those variables have to  
be used. every variable should have its own name so you'll not have  
any name clashes.

do you have any real world example that shows why your example form  
may be required?

bye!
s

More information about the klone-users mailing list