RE: QueryDict and its .dict() method - why does it do that?
9 views
Skip to first unread message
bab mis
Mar 28, 2015, 6:06:36 AM3/28/15
to django...@googlegroups.com
Sent from my Windows Phone
From: Simon Charette
Sent: 3/28/2015 2:01
To: django...@googlegroups.com
Subject: Re: QueryDict and its .dict() method - why does it do that?
Hi Gabriel,
One thing I dislike about how PHP/Rail deal with this is the fact they expose an easy way to shoot yourself in the foot.
e.g. PHP
Your code expects $_GET['foo'] to be an array() but the querystring is missing the trailing "[]" (?foo=bar) and crash. This also open a door for subtle attack vectors, let's not forget that those implementation assumes a parameter to be a collection or not based on user submitted data.
I strongly prefer how Django forces you to explicitly declare you're expecting to retrieve a collection from a specific parameter.
Simon
Le vendredi 27 mars 2015 16:10:05 UTC-4, Gabriel Pugliese a écrit :
-- One thing I dislike about how PHP/Rail deal with this is the fact they expose an easy way to shoot yourself in the foot.
e.g. PHP
Your code expects $_GET['foo'] to be an array() but the querystring is missing the trailing "[]" (?foo=bar) and crash. This also open a door for subtle attack vectors, let's not forget that those implementation assumes a parameter to be a collection or not based on user submitted data.
I strongly prefer how Django forces you to explicitly declare you're expecting to retrieve a collection from a specific parameter.
Simon
Le vendredi 27 mars 2015 16:10:05 UTC-4, Gabriel Pugliese a écrit :
Hi Carl,
I perfectly understand what you are saying. It was very clear and informative, but do not agree with the design chosen here. Below is just an opinion and you do not have to agree with it:
My buddies have given PHP and Rails examples, but there are other frameworks from other languages that do that the same way. I mean, what's the advantage here doing differently from others?And I don't agree it follows KISS if I need to re-iterate on the result again to get a dict from it (one clear example usage is destructuring as named function parameters).
Thanks again!
On Thursday, March 26, 2015 at 2:52:48 PM UTC-3, Gabriel Pugliese wrote:This gist is self informative - some information from list is lost: https://gist.github.com/gabrielhpugliese/640b69eefc5b7490a07c
Some of my buddies have pasted Rails(Rack) and PHP conversion right below. Is that something I am missing? Does it have to do with laziness?
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-users...@googlegroups.com.
To post to this group, send email to django...@googlegroups.com.
Visit this group at http://groups.google.com/group/django-users.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/28c33760-d9cf-4966-a249-aa1ab607909d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages