Quoting Warren Young <wyml@etr-usa.com>:
On Jul 11, 2016, at 3:29 AM, Dave Cross <dave@dave.org.uk> wrote:
The more explicitly-named methods are definitely safer. You really want to know where your parameters are coming from.
I’m still waiting for someone to justify that stance with more than confident prose assertions. Someone, please show me code that the new keywords makes better.
[ ... snip ... ] It's to do with security. If you've written the application, you know the channels that the params should be coming through. If you've written the app so that it sends 'foo' as a body parameter and it arrives as a query parameter, then that might be evidence of someone doing something with your app that you would rather they didn't do. Perhaps they're probing it for security holes. Imagine you have a form that contains important information in <hidden> form fields. You have filled in those fields in the HTML response that you sent back to the browser. That data should turn up in a body parameter. If it turns up in a query parameter, then someone is trying to override that value. Perhaps for nefarious reasons. If you were getting the value from a 'param' or 'params' call, you wouldn't know where the value comes from. Is it the legitimate body parameter or the added (perhaps nefarious) query parameter? You don't know. And that should worry you. By all means continue to take the lax approach if you want. I learned long ago that the internet is a nasty place and I'm going to be as distrustful as possible of the data I get back from my users. Dave...