[whatwg] <a href="" ping="">

Charles Iliya Krempeaux supercanadian at gmail.com
Wed Oct 26 13:09:55 PDT 2005


On 10/25/05, Jasper Bryant-Greene <jasper at album.co.nz> wrote:
> On Tue, 2005-10-25 at 14:06 -0700, Charles Iliya Krempeaux wrote:
> > Perhaps the best way of handling this is to use a totally new HTTP
> > method (other than "GET" or "POST").  Maybe "PING".
> >
> > That way you don't have to worry about people screwing things up or
> > hacking due to POST'ing (of a URL like the flickr URL you gave).
> That Flickr URL was a GET. It's a non-issue anyway -- using a POST does
> not offer any additional ability to "screw things up" or "hack".

That flickr URL may have been via an HTTP GET, but many server-side
scripting languages treat "parameters" from a GET request and a POST
request the same.  I.e., many server side scripts are written so that
they are indifferent to how they receive the "parameters" we send

For example, in PHP we have a "super global variable" called $_GET
that contains all the parameters from an HTTP GET request.  So, if we
had a URL like:


Then we would have:

    $_GET['a'] == 'x'
    $_GET['b'] == 'y'
    $_GET['c'] == 'z'

Likewise, with an HTTP POST, we have a $_POST "super global variable"
that contains all the parameters from the HTTP POST request.  So, if
we made a call with a form like:

    <form method="POST" action="http://example.net/goapost.php">
        <input type="hidden" name="d" value="abc" />
        <input type="hidden" name="e" value="xyz" />

        <input type="submit" />

Then we'd have:

    $_POST['d'] == 'abc'
    $_POST['e'] == 'xyz'

And if everyone who wrote PHP server side scripts used these -- use
$_GET and $_POST -- then we'd have no problem.   (We can easily tell
the difference between "parameters" from an HTTP GET and an HTTP

However, $_GET, $_POST, and other "sub global variables" were NOT
originally part of PHP.  Originally, "parameters" from an HTTP GET and
an HTTP POST we simple put in normal variables (with the name).

So, from the previous HTTP GET example, we'd just have:

    $a == 'x'
    $'b == 'y'
    $c == 'z'

And, from the previous HTTP POST example, we'd just have:

    $d == 'abc'
    $e == 'xyz'

With this method of getting "parameters", there's no (easy) way of
telling the difference between HTTP GET "parameter" and HTTP POST

So if you we hit the URL:


(Note, this is the same script as from our HTTP POST example.)  Then
we'd still get:

    $d == 'abc'
    $e == 'xyz'

And the script... which was suppose to be POST'ed to... would still
run and execute the same.

And yeah, I know this is a problem with how people code PHP scripts,
and not really an HTTP or HTML problem.  But it's still a problem we
might want to consider.


See ya

     Charles Iliya Krempeaux, B.Sc.

     charles @ reptile.ca
     supercanadian @ gmail.com

     developer weblog: http://ChangeLog.ca/
 Never forget where you came from

More information about the whatwg mailing list