WebApp Sec mailing list archives

Re: When GET = POST?

From: "Kevin Spett" <kspett () spidynamics com>
Date: Mon, 11 Nov 2002 11:41:05 -0500

Here's an example from MSDN that shows how's it's supposed to be implemented
in ASP.  As you can see, the developer is expected to use the REQUESTTYPE
variable.  Many languages work in a similar way.  It's unsuprising that many
developers don't.
http://support.microsoft.com/default.aspx?scid=KB;en-us;q165671

<HTML>
   <%
   '%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
   '% File:    ADOselect.asp
   '% Author:    Aaron L. Barth (MS)
   '% Purpose:    For testing ADO connectivity to any ODBC Datasource
   '% Disclaimer:    This code is to be used for sample purposes only
   '%              Microsoft does not guarantee its functionality
   '%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

   if Request("REQUESTTYPE") <> "POST" then
   '   %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
   '   % If the request does not contain REQUESTTYPE = "POST
   '   % then display Form Page
   '   %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

      dsn = Session("dsn")
      dbuser = Session("dbuser")
      dbpass = Session("dbpass")

...etc...


Kevin Spett
SPI Labs
http://www.spidynamics.com

Current thread:

When GET = POST? Chris Thomas (Nov 08)
- Re: When GET = POST? Alonso Robles (Nov 09)
  - Re: When GET = POST? Jonas Anden (Nov 10)
    - Re: When GET = POST? Vincent Janelle (Nov 10)
- Re: When GET = POST? David Bullock (Nov 09)
- RE: When GET = POST? Tony Welsh (Nov 09)
  - Re: When GET = POST? Adrian Wiesmann (Nov 10)
- Re: When GET = POST? Kevin Spett (Nov 11)
  - Re: When GET = POST? Jason Childers (Nov 11)
- Re: When GET = POST? Charles Miller (Nov 11)
  - Re: When GET = POST? Jeff Dafoe (Nov 11)
    - Re: When GET = POST? Jason Healy (Nov 11)
  - Re: When GET = POST? Kevin Spett (Nov 12)
    - Re: When GET = POST? Daniel Hedrick (Nov 12)
- <Possible follow-ups>
- Re: When GET = POST? Steven M. Christey (Nov 11)
- RE: When GET = POST? Glyn Geoghegan (Nov 14)
- RE: When GET = POST? Glyn Geoghegan (Nov 14)