perl-modperl mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier>
Subject Re: dealing with empty field names in query
Date Sat, 07 Feb 2009 13:06:16 GMT
Clinton Gormley wrote:
> Are you using a different version?  Or is it the fact that you're
> POSTing it?
Sorry for the lecture, but I see this so often that it seems it deserves 
repeating :

To send the content of a <form> to a webserver, you can use either a 
POST or a GET method.
You should use a GET, if the result of sending this to the server, is 
not going to modify anything on the server, and if re-sending the same 
request several times would always give the same result.
In technical jargon, that is called "idempotent".

You should use POST if it is not the case, in other words if what you 
are sending is going to modify something, and multiple identical 
requests would be "not idempotent".

Neither of the above says how you are passing the data to the server 
however. This is something else entirely.

Separately from the above, and usable with either one, is the question 
of how you are passing the data of your request to the server.
This you can also do in two different ways :
- encoded as "application/x-www-form-urlencoded"
- or encoded as "multipart/form-data"

"application/x-www-form-urlencoded" is the default, and it means that 
you are passing the form data appended at the end of the URL, preceded 
by a "?" sign, as one long string of the form 
"name1=value1&name2=value2..." etc..
usually known as "the query string".
That is easy to do, but has the inconvenient that the server does not 
really know in which character set these things are.  This can play 
havoc with internationally-minded applications.
It can also have the result that the request may be truncated after a 
certain maximum length, by some intervening actor.

"multipart/form-data" is more complicated and harder to do, and is 
described here :
but it has the advantage that each of the "name=value" pairs can be as 
long as you want, and that the type of data and encoding of each is clear.

In neither of the above though, is it allowed in the specs to send a 
"name=value" pair where there is no name. And if name there is, the 
specs do define what is allowed it in, and "" is not among these.

Now which combination of the above some clever javascript function may 
decide to use when sending the form content to the server, is another 
But as Phil rightly said, garbage in, garbage out.
Whether the server software can deal or not with some forms of invalid 
data, is rather outside of the question. It is certainly not obliged to.

And the request data of which it is originally the question here is 
certainly, without a doubt, invalid.

In my opinion thus, the OP should first take whatever measure is 
appropriate to ensure that his application sends only valid data, and 
then come back if there is still a problem.

View raw message