Well, I wonder... how are the parameters used? Are they passed to the shell or used for SQL queries? Or are the parameters just checked by name to see what they contain, with following actions, and anything leftover not ever used? There is a big difference - although, for total honesty one could argue that this could change later.
Under perl, -T will get you very far with answering these questions too.
I have to repeat what others have said here, you can not trust the client, even if it isn't just a browser, but something closed source and compiled. It is not exactly hard (usually) to capture whatever the client is sending and mimic/"enhance" that yourself. If you aer worried about extra parameters doing any harm, filter server-side! Always! Anything client-side is just cosmetics. :)
This also reminded me about this node by merlyn. Is a good laugh about undoubtedly real security flaws. :)
You have moved into a dark place.
It is pitch black. You are likely to be eaten by a grue.
Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
Read Where should I post X? if you're not absolutely sure you're posting in the right place.
Please read these before you post! —
Posts may use any of the Perl Monks Approved HTML tags:
- a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
| |
For: |
|
Use: |
| & | | & |
| < | | < |
| > | | > |
| [ | | [ |
| ] | | ] |
Link using PerlMonks shortcuts! What shortcuts can I use for linking?
See Writeup Formatting Tips and other pages linked from there for more info.