With so many APIs and frameworks out there, there are many different ways to accomplish the same task. The problem is that each way (or method) usually exhibits different behavior in the face of maliciousness. The challenge for us is to (1) find bad behavior in the APIs/frameworks we use, (2) apply fixes consistently, and (3) remember all of the ways things can go wrong. (1) is difficult but doable, (2) is more challenging, and (3) is arguably impossible for a person to do alone. The fact that APIs change frequently, even if changed for the better, often exacerbates the problem because it’s costly to go back and consistently make changes across existing applications.
good code, secure software
It’s time to start being less reactive and more proactive
Mixing GET and POST request data
Are designs that mix GET and POST requests inherently flawed?
It’s common for J2EE developers to create designs that pass both GET and POST requests through a centralized processing pipe, as in the controller method below:
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
public class MyServlet extends HttpServlet {
public void doGet(HttpServletRequest request, HttpServletResponse response) {
controller(request, response);
}
public void doPost(HttpServletRequest request, HttpServletResponse response) {
controller(request, response);
}
private void controller(HttpServletRequest request, HttpServletResponse response) {
// process the request
}
}