Diez B. Roggisch a écrit :
Am 03.02.10 19:11, schrieb John Bokma:
Alan Harris-Reid<a...@baselinedata.co.uk> writes:
I have a web-page where each row in a grid has edit/delete buttons to
enable the user to maintain a selected record on another page. The
buttons are in the form of a link with href='/item_edit?id=123', but
this string appears in the URL and gives clues as to how to bypass the
correct sequence of events, and could be risky if they entered the URL
directly (especially when it comes to deleting records).
You should *never* use a GET request to do actions like deleting
records. You already are aware of it being risky, so don't do this. You
should use GET for getting information, and POST for modifying
information.
You should *never* say never, because there might be situations where
exceptions from rules are valid. This is one such cases.
Oh yes ?
Making this a
post means that you need to resort to javascript to populate & submit a
hidden HTML-form.
I beg your pardon ???? This is total nonsense. Hopefully you don't need
any js to emit a post request from a browser ! The only thing you need
to do is to use a form and submit input instead.
--
http://mail.python.org/mailman/listinfo/python-list
