-
Notifications
You must be signed in to change notification settings - Fork 17.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
http: POST ignores query params #985
Labels
Comments
It is legal and sometimes convenient to include both query string and post body parameters in a single request. Other frameworks merge the query string and post body parameters in a single collection. Examples include: - Java Servlets - Google App Engine webapp framework for Python - Tornado Web |
Comment 6 by joerg.sonnenberger: Developers should care and if parameters are merged, you have to check explicitly. Let's say you have a simple destructive operation with a simple "confirm" button to check. What happens if someone else places <img width="1" height="1" src="https://missile-launcher.gov/send_nukes?confirm=yes"> on some Facebook page? The validation code has to check that only only are all required fields present, but also that the method is correct. If experience shows anything in this regard, it is that the second tends to be forgotten. In short, being explicit which parameters you mean helps to avoid a common pitfall. |
A correct application will use Request.Method to determine the HTTP method, not where the parameters are encoded in the request (query string or request body). Using separate maps for query string parameters and request body parameters might lead to confusion about the distinction between GET and POST. |
4.3.2 says The POST method is used to request the script perform processing and produce a document based on the data in the request message-body, in addition to meta-variable values. The text definitely says both should be available. Combining the two is a nice, simple interface, which, in the absence of a compelling reason to the contrary, makes it a better one than forcing clients to check two different places. I don't buy the "you'll forget to check" argument about GET vs POST. In plenty of cases you'd be happy to accept parameters via either method and don't care, and it would be extra effort to implement that. People launching missiles should definitely take the extra time to check req.Method, regardless of the form parameters. Gary Burd's comment lists other popular web frameworks that merge the two, suggesting that it's fine to do so in the real world. This has the potential to devolve into quite a bikeshed discussion. I'm happy to listen to other (non-GET vs POST) arguments though. Russ |
This issue was closed by revision 3bf6563. Status changed to Fixed. |
This issue was closed.
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
The text was updated successfully, but these errors were encountered: