[Gllug] question about python/perl
Joel Bernstein
joel at fysh.org
Thu Feb 24 23:24:40 UTC 2011
On 24 February 2011 20:33, Jason Clifford <jason at ukfsn.org> wrote:
> On Thu, 2011-02-24 at 20:09 +0100, salsaman at xs4all.nl wrote:
>> Quite right, although in my experience it is far more common to use a
>> query string rather than the address to hold parameters, for example:
>>
>> http://www.example.com?name=joel&flower=rose&type=petal
>>
>> A smart enough framework would then create a parameter called "name" and
>> assign it the value "joel", create a variable "flower" with value "rose"
>> and a variable "type" with value "petal". These variables are then used in
>> the code which returns html to the client.
>
> Absolutely NOT!
>
> PHP used to do that by default. It was called register globals and was
> one of the biggest security holes in PHP and earned the language many
> curses. If you create a variable automatically you enable anyone who can
> pass a query string (ie every visitor to a website!) to play with your
> internal application variables.
Absolutely true, but you're conflating making a parameter available
through a standardised mechanism with making that parameter available
through a global variable, the very existence of which is a bad "code
smell".
> A smart framework will take those parameters and make them available in
> a manner that the application can easily use so that the programmer has
> the option to make a variable easily once the input has been validated.
Indeed. In Catalyst these are available through the Context object
passed to each controller action, which has methods to access
query-string parameters, POST parameters or both through a
standardised interface.
In fact, I'm not sure why I replied, since I now feel we are in
"furious agreement" mode.
/joel
--
Gllug mailing list - Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug
More information about the GLLUG
mailing list