hackers @ microsoft
入力チェックの話題なんだが
For example, a web application may implement the following authorization checks:
If Request(“Admin”) =”True” Then Do administrative work Else Normal User WorkIf the developer of the application sets a variable in the cookie, such as Admin=Yes, then the application will check for the value of this Request object whenever the application has to process admin functionality.
The code should look something like Request.Cookies(“Admin”). However, if the developer loosely codes the thing, and uses a shortcut like Request(“Admin”) then now as stated earlier, the Request object will search for a match in QueryString, Form, Cookies, ClientCertificate and ServerVariables, in that order. The first match found dictates the value.
「本当はクッキーの値を見るべきなのに、サボりたがりはリクエストからって見ちまうよね、よくないよね」って言いたいことは分かるんだが、そもそも設計からしておかしい。