> Ouch! This certainly seems like a possible security hole! > > As someone else said, use rewrite rules to get this passed > in as a parameter.
I don't get it, why is it more safe to accept GET variables than method names? Concretely, why is the URL http://something.com/script?q=parameter safer than http://something.com/script/parameter if in both cases exactly the same things are happening with 'parameter'? It has to be checked in both cases, characters like ', ", /, \, etc, has to be stripped and than it will be fed into the same SQL query. So either way, I have to implement some checking mechanism, what difference does it make if the result of the checking is fed into a function as an argument and the SQL query receives it that way, or a method of a class is called by the name 'parameter' and the SQL query receives it as a reference to the method name? -- http://mail.python.org/mailman/listinfo/python-list
