On 1/21/06, Paul Benedict <[EMAIL PROTECTED]> wrote: > Try it yourself!! Just add "?org.apache.struts.taglib.html.CANCEL=true" to > any GET URL and your > execute() method will magically be called as if you didn't have any > validation added to your code.
Calling ActionForm.validate() explicitly from an action saves a lot of trouble, and for me it is just simpler. On 1/21/06, Frank W. Zammetti <[EMAIL PROTECTED]> wrote: > Now, imagine a hacker wants to get to a completely different table in > the database (I suppose reading from a selected table would be a better > example, but I digress). To do so, they can pass in the canceled > parameter and whatever table name they want, assuming they can mangle > the URL properly and establish a session first. Since Struts will > populate the form and fire the Action *without* calling validate() in > this case, the hacker has the "in" they want. I say it again, do not rely on automatic validation ;-) On 1/22/06, Rick Reumann <[EMAIL PROTECTED]> wrote: > All of this just adds *ONE MORE REASON* to my list of *NEVER EVER* use > validate="true". I always call validation manually from my Action class > and the sooner people get into a habit of this the way better off they > will be. +1. Also, I would prefer populate() to be explicitly called from action as well. I want framework to provide services for me and to do heavy lifting, but I want to control the steering wheel and pedals. Automatic behavior on request/response is a flaw, not a benefit. I can write 3-5 lines of code to perform (or not) appropriate framework function. I hate when stuff is done for me. A framework should encapsulate chunks of job, but it must be me to decide whether to perform these jobs or not. Michael. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
