on 9/25/03 7:32 PM, Bob Hicks at suppressed wrote:
>> Cox, Todd (NIH/NCI) wrote:
>>
>>> How can I 1) eliminate the CGI param(message) body from
>> being shown on
>>> the URL
>>>
>> So the URL shown as something like
>> http://myhost.com/mail.pl?body=Dear%> 20Whoever....... ? If so,
>> you need to use the POST method
>> instead of GET at the form of
>> inputing the email message. (Did I get your question right?)
>>
>> --Bird
>>
> Randall Swartz said something to the effect of "you shouldn't let anyone
> know what you are using for cgi". He was speaking of using extensions to
> file names like ".pl".
Security through obscurity?
Doesn't really matter what one is using for cgi if you don't validate /
examine everything that is returned from a browser (session_ids, uploaded
files, parameter values).
As for GET vs. POST, it seems more large sites enURL the returning data or
use GETs instead of POSTs, even for submitting values. Many sites, since
bandwith isn't an issue, abandon <form>'s and href every value:
<a href="https://enurld_string";>Vote for Joe</a>
The plus side to this is you can see the values in the server logs and it
can make debugging easier. The minus side is the enurl'd string is usually
held in the browser's history file.
---------------------------------------------------------------------
Web Archive: http://www.mail-archive.com/suppressed/
http://marc.theaimsgroup.com/?l=cgiapp&r=1&w=2
To unsubscribe, e-mail: suppressed
For additional commands, e-mail: suppressed
Mail converted by mhonarc 2.6.15
This archive provided courtesy of JSW4.NET, Internet Hosting Services for Small Business.