not-kennethreitz/convore.json
1
0
Fork 0
mirror of https://github.com/not-kennethreitz/convore.json.git synced 2026-06-19 06:30:58 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
master
convore.json/groups/django-community/using-gets-to-alter-the-database/messages.json
T
Kenneth Reitz add958b068 shuffle things around a bit
2012-02-21 01:15:00 -05:00

1 line
4.6 KiB
JSON
Raw Permalink Blame History

[{"user_id": 5981, "stars": [], "topic_id": 39570, "date_created": 1308251775.041028, "message": "By relying on POST data, you more or less side-step that whole scenario.", "group_id": 81, "id": 1412892}, {"user_id": 5981, "stars": [{"date_created": 1308292856.2850659, "user_id": 11592}], "topic_id": 39570, "date_created": 1308251731.9084401, "message": "Part of the philosophy is to not promote the ability for a user to bookmark or link to a url that can impact the integrity of your (or their) data. A ridiculous example: imagine passing someone a url for a social network site they were a member of - a link that triggered the deletion of their content in a non-revertible way.", "group_id": 81, "id": 1412886}, {"user_id": 34431, "stars": [], "topic_id": 39570, "date_created": 1308250877.9026189, "message": "So everyone always goes on about how you shouldn't alter database values on a GET request, or via GET parameter, but why? I was thinking about Forms and the spam they sometimes bring with them. This is because a bot can easily figure out what information it needs to fill in (anything between the form tags), and then submit that. It's much harder (impossible) to know what GET parameters a URL exepts. Couldn't you come up with a system of submitting data where every time the page loads, the key for the get parameters change?", "group_id": 81, "id": 1412751}, {"user_id": 34431, "stars": [], "topic_id": 39570, "date_created": 1308250914.2003, "message": "I know this isn't a Django topic per se, but this is one of the most active groups", "group_id": 81, "id": 1412760}, {"user_id": 13335, "stars": [], "topic_id": 39570, "date_created": 1308251615.5525889, "message": "POST without ever having displaying a form would accomplish the same goal", "group_id": 81, "id": 1412861}, {"user_id": 5863, "stars": [{"date_created": 1308253020.946337, "user_id": 5981}, {"date_created": 1308253615.9366441, "user_id": 281}, {"date_created": 1308574011.532773, "user_id": 1243}], "topic_id": 39570, "date_created": 1308252958.1139431, "message": "If you're getting into any form of web development, including working with django, I would strongly recommend reading the http spec. It's short and without understanding the important parts you'll make Los of avoidable errors", "group_id": 81, "id": 1413062}, {"user_id": 34360, "stars": [{"date_created": 1308251419.8450921, "user_id": 15666}, {"date_created": 1308313766.932569, "user_id": 13817}], "topic_id": 39570, "date_created": 1308251310.8035879, "message": "You could, but you'd be reinventing a very insecure wheel instead of doing form POSTs correctly, using a CSRF key like Django or a similar approach.", "group_id": 81, "id": 1412822}, {"user_id": 3580, "stars": [], "topic_id": 39570, "date_created": 1308265128.9221499, "message": "yeah, I think the point isn't to not to alter database values, exactly.. but that GET calls ought to be harmlessly repeatable.. in that the system is in the same general state whether a URL is GET'd 0, 1, or 100 times... Examples where it's totally reasonable to write data on a GET include things like audit logging, etc.", "group_id": 81, "id": 1414404}, {"user_id": 11592, "stars": [], "topic_id": 39570, "date_created": 1308292484.762265, "message": "imagine that: somebody puts <img src=\"http://yoursite.com/accounts/logout/\" title=\"lol u mad?\"/> into his page and shows it to you.", "group_id": 81, "id": 1416573}, {"user_id": 25694, "stars": [{"date_created": 1308297246.0562921, "user_id": 35335}], "topic_id": 39570, "date_created": 1308295147.288933, "message": "spiders treat GET as harmless, where as they (usually) avoid doing POST requests. If you use GET to alter the database, some bot may be hitting URLs that you might not want to. Also, browsers provide warnings when the user hits the back button to a POST page, which helps prevent user-error of modifying the database accidentally.", "group_id": 81, "id": 1416751}, {"user_id": 12817, "stars": [], "topic_id": 39570, "date_created": 1308309848.4208291, "message": "For examples of what @dpwiz and @jeffhui mentioned: The former was done quite frequently on Myspace, so that visiting certain profile pages would log someone out; as for the latter: http://thedailywtf.com/Articles/The_Spider_of_Doom.aspx and http://thedailywtf.com/Articles/WellIntentioned-Destruction.aspx", "group_id": 81, "id": 1418066}, {"user_id": 7376, "stars": [{"date_created": 1308367047.3998981, "user_id": 32856}, {"date_created": 1308574029.7027221, "user_id": 1243}], "topic_id": 39570, "date_created": 1308333905.1276829, "message": "All web developers need to read RESTful Web Services and RFC-2616. Learn the architecture of the tech you're making a living on.", "group_id": 81, "id": 1421147}]
Reference in New Issue View Git Blame Copy Permalink