[whatwg] <a href="" ping=""> from Jasper Bryant-Greene on 2005-10-26 (public-whatwg-archive@w3.org from October 2005)

From: Jasper Bryant-Greene <jasper@album.co.nz>
Date: Thu, 27 Oct 2005 09:18:22 +1300
Message-ID: <1130357902.7220.9.camel@jasper.local>

On Wed, 2005-10-26 at 13:09 -0700, Charles Iliya Krempeaux wrote:
> Hello,
> 
> On 10/25/05, Jasper Bryant-Greene <jasper at album.co.nz> wrote:
> > On Tue, 2005-10-25 at 14:06 -0700, Charles Iliya Krempeaux wrote:
> > > Perhaps the best way of handling this is to use a totally new HTTP
> > > method (other than "GET" or "POST").  Maybe "PING".
> > >
> > > That way you don't have to worry about people screwing things up or
> > > hacking due to POST'ing (of a URL like the flickr URL you gave).
> >
> > That Flickr URL was a GET. It's a non-issue anyway -- using a POST does
> > not offer any additional ability to "screw things up" or "hack".
> 
> That flickr URL may have been via an HTTP GET, but many server-side
> scripting languages treat "parameters" from a GET request and a POST
> request the same.  I.e., many server side scripts are written so that
> they are indifferent to how they receive the "parameters" we send
> them.
> 
> For example, in PHP we have a "super global variable" called $_GET
> that contains all the parameters from an HTTP GET request.  So, if we
> had a URL like:
[snip]
> And the script... which was suppose to be POST'ed to... would still
> run and execute the same.
> 
> And yeah, I know this is a problem with how people code PHP scripts,
> and not really an HTTP or HTML problem.  But it's still a problem we
> might want to consider.

We shouldn't need to design the spec around people using other specs in
the wrong way. It is wrong to cause a change (such as a photo being
deleted) from a GET request. The HTTP spec states this. In the above
example, Flickr are in the wrong.

Although in old versions of PHP register_globals defaulted to on (one of
the worst choices the PHP developers ever made IMHO), the developer
still had the choice of what to *send*, or tell others to send, to their
script.

And you could still access $HTTP_POST_VARS and $HTTP_GET_VARS (now
$_POST and $_GET), or check $HTTP_REQUEST_METHOD was 'POST'. So PHP
didn't prevent developers from following the specs, it just made it a
bit harder.

-- 
Jasper Bryant-Greene
General Manager
Album Limited

e: jasper at album.co.nz
w: http://www.album.co.nz/
p: 0800 4 ALBUM (0800 425 286) or +64 21 232 3303
a: PO Box 579, Christchurch 8015, New Zealand

Received on Wednesday, 26 October 2005 13:18:22 UTC