[Zope] assignment to form records
Oliver Bleutgen
myzope@gmx.net
Sun, 09 Mar 2003 11:57:04 +0100
Dylan Reinhardt wrote:
> My unsolicited $.02:
>
> You may want to think twice about relying on this for a public-facing
> production system.
>
> The first rule of security for a public web site is to validate *all*
> client input. That includes posted values, *and* field names.
>
> Depending on the client to post a form without tweaking the field names
> is a pretty trusting position to take, IMO. If you're going to validate
> your data anyway, what's the point of specifying data types at any point
> prior to validation?
>
> Including meaningful field names in your form just gives you one more
> failure point... it's one more thing you should be validating but most
> likely aren't, or you wouldn't be using it in the first place.
>
> The field name hack is a really neat trick... but it's not something I'd
> advise depending on for anything important that gets public exposure.
Could you elaborate this a little bit?
I can't see any problem with using field names which hold data structure
information. What you shouldn't do is _rely_ on the types (name:int
etc.) for anything important, but using the names to get the data as a
record or list etc. doesn't seem dangerous for me.
thanks,
oliver