[dancer-users] Methods Of retrieving request parameters
dave at dave.org.uk
Tue Jul 12 16:27:46 BST 2016
Quoting Warren Young <wyml at etr-usa.com>:
> On Jul 11, 2016, at 3:29 AM, Dave Cross <dave at dave.org.uk> wrote:
>> The more explicitly-named methods are definitely safer. You really
>> want to know where your parameters are coming from.
> I’m still waiting for someone to justify that stance with more than
> confident prose assertions. Someone, please show me code that the
> new keywords makes better.
[ ... snip ... ]
It's to do with security. If you've written the application, you know
the channels that the params should be coming through. If you've
written the app so that it sends 'foo' as a body parameter and it
arrives as a query parameter, then that might be evidence of someone
doing something with your app that you would rather they didn't do.
Perhaps they're probing it for security holes.
Imagine you have a form that contains important information in
<hidden> form fields. You have filled in those fields in the HTML
response that you sent back to the browser. That data should turn up
in a body parameter. If it turns up in a query parameter, then someone
is trying to override that value. Perhaps for nefarious reasons. If
you were getting the value from a 'param' or 'params' call, you
wouldn't know where the value comes from. Is it the legitimate body
parameter or the added (perhaps nefarious) query parameter? You don't
know. And that should worry you.
By all means continue to take the lax approach if you want. I learned
long ago that the internet is a nasty place and I'm going to be as
distrustful as possible of the data I get back from my users.
More information about the dancer-users