XH 1.7: stricter distinction between $_GET and $_POST

Discussions and requests related to new CMSimple features, plugins, templates etc. and how to develop.
Please don't ask for support at this forums!
Post Reply
cmb
Posts: 14225
Joined: Tue Jun 21, 2011 11:04 am
Location: Bingen, RLP, DE
Contact:
Contact cmb

XH 1.7: stricter distinction between $_GET and $_POST

Post by cmb » Wed Dec 03, 2014 8:09 pm

Hello Community,

I suggest that we try to clean the handling of request parameters for CMSimple_XH 1.7. As it's now many request parameters can be passed in a query string ($_GET) or as form fields ($_POST). IMO that is a bad practise (at least it's still slightly better than using $_REQUEST), because it is seducing to confuse GET and POST requests, which have a clear semantical distinction (see RFC 7231, section 4.2), but even worse, they make it easier for attackers to do harm (or at least annoying things), because it is easier to trick somebody with a link than with a form.

Christoph
Christoph M. Becker – Plugins for CMSimple_XH
Top
Post Reply

Return to “Open Development”