RE: [WEB SECURITY] Re: HTTP Parameter Pollution

["Martin O'Neal" <martin.oneal () corsaire com>]

> I believe he means how web servers treat it.
> I guess it's very important for web servers to 
> handle HPP in the same way else I would need to 
> change the application implementation every time 
> I change my web server which is definitely not accepted.

Well, a standard would supposedly mean selecting one or more of the
possible interpretations (which in turn will logically make the other
choices non-compliant).  So doesn't that conflict with the previous
logic; that all the options are indeed valid (and only the mismatch is
the problem)?

Also, in my experience, most web server APIs have both a raw interface
and some kind of interpreted interface to the request. Even ignoring the
specific issue being debated here, using the interpreted interfaces
across platforms and across language APIs will generally throw up all
kinds of inconsistencies that must be worked around in the code anyway.
You'll only get platform independence if you roll your own code and use
the raw interface.

Martin...