Building GET query strings

Re: Building GET query strings

I would suggest not using GET... especially if the strings can add or
remove records to a datatbase... Major security issue... what is
stopping someone from overloading your DB with false entries?? I would
think it better to POST everything with some sort of authentication to
keep the process more secure

Re: Building GET query strings

I would suggest not using GET... especially if the strings can add or
remove records to a datatbase... Major security issue... what is
stopping someone from overloading your DB with false entries?? I would
think it better to POST everything with some sort of authentication to
keep the process more secure

Re: Building GET query strings

Security shouldn't be an issue since there is a separate authentication
module which checks the status of the logged in user before doing any
work.

What I am trying to do is to build an administration screen where an
admin user is able to associate a username with a team through a coach
record. I am looking for advice as to whether finding the team_id,
appending it to the URL, then finding the username and appending it to
the URL is the best way to do this. I would like to avoid cookies and
sessions if possible.

Any examples of finding records in using retreived data from two tables
to create an associative record would probably be helpful.

Re: Building GET query strings

.oO(EnglishMan)
[color=blue]
>I would suggest not using GET... especially if the strings can add or
>remove records to a datatbase... Major security issue... what is
>stopping someone from overloading your DB with false entries?? I would
>think it better to POST everything with some sort of authentication to
>keep the process more secure[/color]

While I also would recommend to use POST in this case, don't rely on its
"increased security". There is none. A user who knows what he's doing
can send a faked POST request as well as a faked GET quite easily.

Micha

Re: Building GET query strings


"meckhert@REMOV ESPAM.gmail.com " <meckhert@gmail .com> wrote in message
news:1103224270 .482080.12040@z 14g2000cwz.goog legroups.com...[color=blue]
> I am currently building a sports web application and have run into a
> design question.
>
> In order to create a new coach record, there are two pieces of
> information that are needed: 1) username 2) team_id
>
> It seems to me that the best way to do this is to break the problem
> into two parts. First, search for the username and append that to the
> URL: http://www.mysite.com?username=john
>
> Next, I would present the user with another search box to search for a
> team and then add '&team_id=1' to the GET url. The final URL should
> look something like
> http://www.mysite.com?username=john&...ction=addcoach
>
> Does anyone know of a good example out there for doing this in a
> methodical and elegant fashion?
>
>
> Marc
>[/color]

Just stick the variables into hidden fields. If the form method is GET, then
the browser will automatically create the right URL.