OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Jim Markley (jimmarkley_at_dallasmeetingmanagement.com)
Date: Wed Jul 10 2002 - 16:22:36 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Greetings,

        For websites that I am developing for, I am using POST in conjunction
    with hidden variables to pass information back and forth between the server
    and client to preserve the state of the web form. After reading from this
    list for awhile, I have changed a couple of things up that I do. I have
    always used an internal list of what the form fields are to parse out the
    values being based back. So, if someone inserts an additional field, changes
    a name of a field, etc, not a problem, it just doesn't get picked up and
    used. On non-text input fields such as radio, checkbox and select lists, I
    am now range checking and validating them to make certain that they are
    values that I am expecting. I wasn't before, but should someone want to
    manipulate an html page and submit it, this will catch it. I am now also
    doing a simple cleanup of text to remove scripting characters. Whether or
    not someone views either the hidden fields or a querystring, as long as the
    server application validates, type checks, range checks, etc. and only
    accepts the data that is valid for that application rejecting back to the
    user any invalid data, there shouldn't be a problem using either querystring
    or hidden form variables. I use querystrings to serve up a news article
    page, but personally prefer using hidden fields where possible because it
    gives a cleaner appearance to the URL. The POST can pass 100K of data back
    to the server and the GET much less, I think is what I read.

    Jim

    ----- Original Message -----
    From: "Steven Fling" <SFLINGoppenheimerfunds.com>
    To: <webappsecsecurityfocus.com>
    Sent: Wednesday, July 10, 2002 1:36 PM
    Subject: Best Practices for passing data via HTTP

    Our application communicates across various application server environments
    via HTTP/HTTPS requests (versus RMI, etc.) and needs to pass data/parameters
    back and forth. Naturally we use SSL to encrypt the request/response.

    I wanted to see if there were any Best Practices established to transfer
    data in this fashion. POST vs. GET method, querystring vs. hidden form
    variable, etc.

    Any insight would be appreciated!

    ____________________________________
    Steve Fling
    Managing Architect - Web Development
    OppenheimerFunds, Inc.
    sflingoppenheimerfunds.com
    Office: 303.768.3200
    FAX: 303.768.1096
    http://www.oppenheimerfunds.com
    ____________________________________

    This electronic mail transmission may contain confidential information and
    is intended only for the person(s) named. Any use, copying or disclosure by
    any other person is strictly prohibited. If you have received this
    transmission in error, please notify the sender via e-mail.