Am 04.02.10 01:42, schrieb John Bokma:
Diez B. Roggischde...@nospam.web.de writes:
Am 03.02.10 19:11, schrieb John Bokma:
Alan Harris-Reida...@baselinedata.co.uk writes:
I have a web-page where each row in a grid has edit/delete buttons to
enable the user to maintain a selected record on
Diez B. Roggisch a écrit :
Am 03.02.10 19:11, schrieb John Bokma:
Alan Harris-Reida...@baselinedata.co.uk writes:
I have a web-page where each row in a grid has edit/delete buttons to
enable the user to maintain a selected record on another page. The
buttons are in the form of a link with
Bruno Desthuilliers a écrit :
Diez B. Roggisch a écrit :
(snip)
Making this a post means that you need to resort to javascript to
populate submit a hidden HTML-form.
I beg your pardon This is total nonsense.
Sorry, posted too fast, John alredy adressed this.
--
I'm not sure what you mean by that. Obviously if users want to record
their own conversations, then I can't stop them, but that's much
different than a non-participant in the conversation leaving a recorder
running 24/7. Is that so hard to understand?
Is it so hard to understand that this is
Alan Harris-Reid a...@baselinedata.co.uk writes:
I have a web-page where each row in a grid has edit/delete buttons to
enable the user to maintain a selected record on another page. The
buttons are in the form of a link with href='/item_edit?id=123', but
this string appears in the URL and
Diez B. Roggisch de...@nospam.web.de writes:
Am 03.02.10 19:11, schrieb John Bokma:
Alan Harris-Reida...@baselinedata.co.uk writes:
I have a web-page where each row in a grid has edit/delete buttons to
enable the user to maintain a selected record on another page. The
buttons are in the
Am 03.02.10 19:11, schrieb John Bokma:
Alan Harris-Reida...@baselinedata.co.uk writes:
I have a web-page where each row in a grid has edit/delete buttons to
enable the user to maintain a selected record on another page. The
buttons are in the form of a link with href='/item_edit?id=123', but
Am 03.02.10 23:09, schrieb Paul Rubin:
Diez B. Roggischde...@nospam.web.de writes:
Also, your claim of it being more risky is simply nonsense. GET is a
tiny bit more prone to tinkering by the average user. But calling this
less risky is promoting security by obscurity, at most.
GET
Am 04.02.10 00:39, schrieb Paul Rubin:
Diez B. Roggischde...@nospam.web.de writes:
Of course only information not gathered is really safe
information. But every operation that has side-effects is reproducable
anyway, and if e.g. your chat-app has a history, you can as well log
the parameters.
Alan Harris-Reid a...@baselinedata.co.uk writes:
As each link contains row-id, I guess there is nothing to stop someone
from getting the id from the page source-code. Is it safe to use the
above href method if I test for authorised credentials (user/password
stored as session variables,
Diez B. Roggisch de...@nospam.web.de writes:
Also, your claim of it being more risky is simply nonsense. GET is a
tiny bit more prone to tinkering by the average user. But calling this
less risky is promoting security by obscurity, at most.
GET parameters also tend to get recorded in the http
Diez B. Roggisch de...@nospam.web.de writes:
But it would be outrageous for the shop owner to record the
conversations of patrons.
Which is the exact thing that happens when you use an email-provider
with IMAP. Or google wave. Or groups. Or facebook. Or twitter. Which I
wouldn't call
Am 04.02.10 03:52, schrieb Nobody:
On Wed, 03 Feb 2010 14:09:07 -0800, Paul Rubin wrote:
Also, your claim of it being more risky is simply nonsense. GET is a
tiny bit more prone to tinkering by the average user. But calling this
less risky is promoting security by obscurity, at most.
GET
Alan Harris-Reid a écrit :
I have a web-page where each row in a grid has edit/delete buttons to
enable the user to maintain a selected record on another page. The
buttons are in the form of a link with href='/item_edit?id=123', but
this string appears in the URL and gives clues as to how to
Diez B. Roggisch de...@nospam.web.de writes:
Your web-based chat uses HTTP, no P2P-protocol, and thus the service
provider *can* log conversations. I don't say he should, I don't say I
want that, I don't say there are now laws that prevent them from doing
so, all I say is he *can*.
Sure, my
Bruno Desthuilliers bruno.42.desthuilli...@websiteburo.invalid writes:
The buttons are in the form of a link with href='/item_edit?id=123',
...At least use POST requests for anything that Create/Update/Delete
resources.
There's also the issue that a user can change 123 to 125 and
possibly mess
Paul Rubin a écrit :
Bruno Desthuilliers bruno.42.desthuilli...@websiteburo.invalid writes:
The buttons are in the form of a link with href='/item_edit?id=123',
...At least use POST requests for anything that Create/Update/Delete
resources.
There's also the issue that a user can change 123
Paul Rubin wrote:
Diez B. Roggisch de...@nospam.web.de writes:
But it would be outrageous for the shop owner to record the
conversations of patrons.
Which is the exact thing that happens when you use an email-provider
with IMAP. Or google wave. Or groups. Or facebook. Or twitter. Which I
Diez B. Roggisch de...@nospam.web.de writes:
Am 04.02.10 01:42, schrieb John Bokma:
[..]
Maybe you should think about what happens if someone posts:
img src=http://example.com/item_delete?id=123; to a popular forum...
And the difference to posting
from urrlib2 import open
from urllib
Am 04.02.10 18:22, schrieb John Bokma:
Diez B. Roggischde...@nospam.web.de writes:
Am 04.02.10 01:42, schrieb John Bokma:
[..]
Maybe you should think about what happens if someone posts:
img src=http://example.com/item_delete?id=123; to a popular forum...
And the difference to posting
Many thanks to all those who replied to my question and clearing-up the
differences between GET and POST. I think I know what to do now - if
not, I'll be back :-)
Regards,
Alan
--
http://mail.python.org/mailman/listinfo/python-list
I have a web-page where each row in a grid has edit/delete buttons to
enable the user to maintain a selected record on another page. The
buttons are in the form of a link with href='/item_edit?id=123', but
this string appears in the URL and gives clues as to how to bypass the
correct sequence
Am 03.02.10 19:01, schrieb Alan Harris-Reid:
I have a web-page where each row in a grid has edit/delete buttons to
enable the user to maintain a selected record on another page. The
buttons are in the form of a link with href='/item_edit?id=123', but
this string appears in the URL and gives
Diez B. Roggisch de...@nospam.web.de writes:
If somebody happens to have access to a proxy it's logs, he can as
well log the request body.
I'm not talking about a malicious server operator. In this situation, I
was the server operator and I didn't want to be recording the
conversations. I
Am 03.02.10 23:35, schrieb Paul Rubin:
Diez B. Roggischde...@nospam.web.de writes:
If somebody happens to have access to a proxy it's logs, he can as
well log the request body.
I'm not talking about a malicious server operator. In this situation, I
was the server operator and I didn't want
Diez B. Roggisch de...@nospam.web.de writes:
Of course only information not gathered is really safe
information. But every operation that has side-effects is reproducable
anyway, and if e.g. your chat-app has a history, you can as well log
the parameters.
No I can't. The chat-app history
26 matches
Mail list logo
