Zope Requests - POST vs. GET
Hello zope, In the PHP/Perl/CGI I get the Post, and Get variables in another array. This thechique is prevent to merge the Post/Get variables. So if I get the (hided) POST variable named X, and use it to do anything, the common user don't see it. But in Zope I see that all of the variables placed in the request "object", and if anyone create a dummy Get variables, then it is do same thing: <input type="hidden" name="x" id="x" value="nnn"> post is same as: mysite?x=nnn So: the user is can do same effect like my hidden field. Can I separate these arguments/variables as php/perl ? Thanx: KK -- Best regards, fowlertrainer mailto:fowlertrainer@anonym.hu
This a single REQUEST is either a POST or GET request there is no need for this separation IMO. Everything's in the REQUEST. -aj --On Montag, 15. Dezember 2003 13:09 Uhr +0100 fowlertrainer@anonym.hu wrote:
Hello zope,
In the PHP/Perl/CGI I get the Post, and Get variables in another array. This thechique is prevent to merge the Post/Get variables. So if I get the (hided) POST variable named X, and use it to do anything, the common user don't see it.
But in Zope I see that all of the variables placed in the request "object", and if anyone create a dummy Get variables, then it is do same thing:
<input type="hidden" name="x" id="x" value="nnn"> post
is same as:
mysite?x=nnn
So: the user is can do same effect like my hidden field.
Can I separate these arguments/variables as php/perl ?
Thanx:
KK
Hi Andreas, Andreas Jung schrieb:
This a single REQUEST is either a POST or GET request there is no need for this separation IMO. Everything's in the REQUEST.
Thats not entirely true. Sadly there is a design flaw in cgi.py which ignores GET variables still present when doing POST. The whole lib is a bit ugly so its not easy to fix it. And its even worser to fix if you want to achieve compatibility with current implementations. Should variables be merget? Get variables before POST or vice versa? Regards Tino
--On Montag, 15. Dezember 2003 14:36 Uhr +0100 Tino Wildenhain <tino@wildenhain.de> wrote:
Hi Andreas,
Andreas Jung schrieb:
This a single REQUEST is either a POST or GET request there is no need for this separation IMO. Everything's in the REQUEST.
That's not entirely true. Sadly there is a design flaw in cgi.py which ignores GET variables still present when doing POST.
The whole lib is a bit ugly so its not easy to fix it. And its even worser to fix if you want to achieve compatibility with current implementations.
Should variables be merget? Get variables before POST or vice versa?
big hmmmmmmm :-) I don't have the CGI specs under my pillow and I am too lazy to read them but POST usually transmits the data in the body and GET in the QUERY strings. I have never (and needed) a usecase where both were mixed (if allowed). -aj
--On Montag, 15. Dezember 2003 14:36 Uhr +0100 Tino Wildenhain <tino@wildenhain.de> wrote:
Hi Andreas,
Andreas Jung schrieb:
This a single REQUEST is either a POST or GET request there is no need for this separation IMO. Everything's in the REQUEST.
That's not entirely true. Sadly there is a design flaw in cgi.py which ignores GET variables still present when doing POST.
The whole lib is a bit ugly so its not easy to fix it. And its even worser to fix if you want to achieve compatibility with current implementations.
Should variables be merget? Get variables before POST or vice versa?
in the HTTP specs we can find: """ The POST method is used to request that the origin server accept the entity enclosed in the request as a new subordinate of the resource identified by the Request-URI in the Request-Line""" How shall we interpret that? Parameters passed as QUERYSTRING in a POST request do override parameters passed in the body? Anyway I don't see why there is a need to mix both. For clearity one should either pass the parameters as POST or GET. -aj
Hi Andreas, Andreas Jung schrieb:
--On Montag, 15. Dezember 2003 14:36 Uhr +0100 Tino Wildenhain <tino@wildenhain.de> wrote:
Hi Andreas,
Andreas Jung schrieb:
This a single REQUEST is either a POST or GET request there is no need for this separation IMO. Everything's in the REQUEST.
That's not entirely true. Sadly there is a design flaw in cgi.py which ignores GET variables still present when doing POST.
The whole lib is a bit ugly so its not easy to fix it. And its even worser to fix if you want to achieve compatibility with current implementations.
Should variables be merget? Get variables before POST or vice versa?
in the HTTP specs we can find: """ The POST method is used to request that the origin server accept the entity enclosed in the request as a new subordinate of the resource identified by the Request-URI in the Request-Line"""
How shall we interpret that? Parameters passed as QUERYSTRING in a POST request do override parameters passed in the body?
Anyway I don't see why there is a need to mix both. For clearity one should either pass the parameters as POST or GET.
There are really a lot of use cases for that. You can only use <a hrefs> and redirect to do parameter passing via GET. If the target page uses POST to submit another information, the information on GET is lost for current Zope. Maybe next example makes it more transparent: you make a link published in a e-mail which provides information of an article in a shop referenced by QUERY-String, of course. In the resulting page there is the option to log in first - of course with POST. Currently you have to transport every paramater from query-String to a hidden form field to not loose the values. Thats a bit nasty. Regards Tino
--On Montag, 15. Dezember 2003 16:05 Uhr +0100 Tino Wildenhain <tino@wildenhain.de> wrote:
Hi Andreas,
Andreas Jung schrieb:
--On Montag, 15. Dezember 2003 14:36 Uhr +0100 Tino Wildenhain <tino@wildenhain.de> wrote:
Hi Andreas,
Andreas Jung schrieb:
This a single REQUEST is either a POST or GET request there is no need for this separation IMO. Everything's in the REQUEST.
That's not entirely true. Sadly there is a design flaw in cgi.py which ignores GET variables still present when doing POST.
The whole lib is a bit ugly so its not easy to fix it. And its even worser to fix if you want to achieve compatibility with current implementations.
Should variables be merget? Get variables before POST or vice versa?
in the HTTP specs we can find: """ The POST method is used to request that the origin server accept the entity enclosed in the request as a new subordinate of the resource identified by the Request-URI in the Request-Line"""
How shall we interpret that? Parameters passed as QUERYSTRING in a POST request do override parameters passed in the body?
Anyway I don't see why there is a need to mix both. For clearity one should either pass the parameters as POST or GET.
There are really a lot of use cases for that. You can only use <a hrefs> and redirect to do parameter passing via GET. If the target page uses POST to submit another information, the information on GET is lost for current Zope.
Maybe next example makes it more transparent:
you make a link published in a e-mail which provides information of an article in a shop referenced by QUERY-String, of course.
In the resulting page there is the option to log in first - of course with POST.
ok, thanks for pointing this out :-) -aj
Andreas Jung wrote:
in the HTTP specs we can find: """ The POST method is used to request that the origin server accept the entity enclosed in the request as a new subordinate of the resource identified by the Request-URI in the Request-Line"""
Note the errata, http://skrb.org/ietf/http_errata.html#post -- Jamie Heilman http://audible.transient.net/~jamie/ "I was in love once -- a Sinclair ZX-81. People said, "No, Holly, she's not for you." She was cheap, she was stupid and she wouldn't load -- well, not for me, anyway." -Holly
participants (4)
-
Andreas Jung -
fowlertrainerļ¼ anonym.hu -
Jamie Heilman -
Tino Wildenhain