Tim Lesher wrote:
> On 9/17/06, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
> >
> > How do I do a post redirect?
>
> User agents aren't allowed to automatically fetch a resource with any
> method other than HEAD or GET, without user intervention (see RFC
> 2616).
>
> What's the reason you need to "hide" the parameters? Knowing this
> might help come up with a solution.
>
I can think of only two common cases where people want to hide GET
parameters. (PHP experience talking here) Those are 1) wanting cleaner
URLs, and 2) trying to keep someone from messing with the request.
In the first case, remember that parameters are also passed
positionally. So you can rewrite you application to pass calls to
def foo(bar, baz):
...
using the url
http://www.example.com/foo/abc/123
and it will call foo as though you had made the request
'/foo?bar=abc&baz=123'
For the second case, shifting a request that should not be trusted from
GET to POST does not solve the problem. Anyone with enough motivation
will make it happen. I remember seeing a "web hacker practice site"
with levels of increasing difficulty. Examing what was sent in a POST
request and modifying it was something like the second level.
If you are worried about someone messing with the URLs of your site
there is a whole validator system to TG that can help you with this.
With it you can pre-screen any input before it gets passed to you
controller and reject anything you don't want.
Hope that helps,
-Adam
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"TurboGears" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at http://groups.google.com/group/turbogears
-~----------~----~----~----~------~----~------~--~---
