Way to distinguish between POST and GET data in Python CGIs?

S

Simon Willison

Hi all,

I've been experimenting with Python CGIs, and more recently mod_python.
The FieldStorage class used by Python's cgi module and mod_python's
utility library allows form data sent by a user's browser to be easily
accessed, but doesn't appear to provide any method of distinguishing
between data sent by POST and data sent by GET.

Coming from PHP, where these two types of input are available in
separate $_POST and $_GET arrays, this is causing me some concern.
Although I do not see this as a security flaw (I will still be
validating data no matter where it came from) I have always preferred to
restrict some types of input to GET and others to POST - for example,
any script that modifies data on the server in some way should use POST
rather than GET to prevent accidental modifications being caused by
user's bookmarking strange pages.

Does anyone know of a cgi style module for Python that can distinguish
between the two types of data? I'd also be interested in finding out the
reasons this functionality was excluded from the cgi module in the first
place.

Best regards,

Simon Willison
 
P

poiboy

Hi Simon,

Regarding mod_python:
* Check req.method in ('GET', 'POST').
* GET variable strings are accessible via
req.args,
req.parsed_uri[apache.URI_QUERY], or
req.subprocess_env['QUERY_STRING'] after calling req.add_common_vars().
* POST variable strings are in the client's request body, accessible via
req.read()
* The variable list strings can be parsed using functions in the cgi
and urllib modules.

Viewing mod_python as an Apache interface which accomodates
web-scripting instead of (just) a web-scripting tool helps
considerably. Think "light on the context, heavy on the construct."
Example:

4.5.3: "The request object is a Python mapping to the Apache
request_rec structure. When a handler is invoked, it is always
passed a single argument - the request object."

See http://httpd.apache.org/dev/apidoc/apidoc_request_rec.html for the
structure's nitty grit.

Wearing my Clueless CGI Apologist cap, I believe that it is the
server's duty to set environment variables (like REQUEST_METHOD) and
call an appropriate script with a query string (close enough). In
other words, the script's only *required input* is the query string
itself. Since environment (or "meta") variable accessibility is
"system defined," a frugal cgi module was a safe bet. Just guessing.

Aloha,
the poiboy
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Issue with passing fetched data to POST form. How can I? 0
Communicate between Python and Node.js 2
cgi.pm distinguish between POST & GET 17
Recommended way to POST with cookies? 2
CGI, POST, and file uploads 0
upload file using post to https server 1
How to get python class serializable and well parsed by JSON 3
GET/POST Data Array in Python? 2

Members online

No members online now.
Total: 22 (members: 0, guests: 22)
Robots: 235

Forum statistics

Threads
473,755
Messages
2,569,537
Members
45,022
Latest member
MaybelleMa

Latest Threads

Top