Open GoogleCodeExporter opened 9 years ago
Original comment by neil.mat...@gmail.com
on 2 Dec 2009 at 8:43
The order isn't guaranteed. We *could* do this by parsing the querystring. But
perhaps this is better done
by implementing doPost only, and not having one handler for both doPost and
doGet. What's the danger
here? Exposing params on the URL? Making phishing via tinyurl marginally
easier?
Do you think an httputility method to getPostParameter() and getGetParameter()
makes sense?
Original comment by planetlevel
on 2 Dec 2009 at 9:39
The other reason I can think of is some VERY basic CSRF protection. Yes, we
all know
that this is the worst way, but I see some value in implementing this. Some
frameworks unfortunately hide the doPost/doGet so I think there is some value.
Lastly, values for navigation are often in the GET string, while the real data
is in
the POST section. So if you have page.jsp?state=doSomething with
social_security_number in the post body, you may want to ensure the
social_security_number is in fact in the post body and not appended to the query
string (which is stored in the history, access logs, etc).
Yes, this only buys minimal protection from the least sophisticated hackers so
we
have to decide whether it is worth the effort.
Original comment by neil.mat...@gmail.com
on 2 Dec 2009 at 9:59
Original issue reported on code.google.com by
neil.mat...@gmail.com
on 2 Dec 2009 at 8:42