note sundialsvc4 <p> It also occurs to me to wonder, and with considerable alarm, &ldquo;exactly what is it about your present algorithm which makes you <em>care</em> that an &lsquo;extra&rsquo; parameter value is appearing in the data?&rdquo; &nbsp; Of particular concern to me is that perhaps the software is iterating through the parameters given and attempting to do something with them &ldquo;no matter what they are,&rdquo; on the very naïve and very dangerous assumption that only the &ldquo;expected&rdquo; parameter-names could actually be there. &nbsp; (PHP was most-notorious for this in its earliest days, when it would &ldquo;helpfully&rdquo; introduce every POST/GET variable that it saw, right into the variable pool. &nbsp; &ldquo;Helpful&rdquo; indeed it was, if one is not thinking of malice, and of course it didn&rsquo;t last long. &nbsp; But there are still probably some vulnerable web-sites out there that are still being hacked because of it.) &nbsp; Your application should <em>know</em> exactly what variable-names it might consider. &nbsp; It should look only for submitted variables under those names, at the exclusion of any and all others. &nbsp; It should, furthermore, validate each of these, using a regular-expression <i>(say)</i>, before accepting any of them. &nbsp; Never allow the user (which could well actually be a malicious &ldquo;bot!&rdquo;) to &ldquo;stuff&rdquo; anything into your application&rsquo;s brain. </p><p> <i>(Edit:</i> &nbsp; Parameter validation should always occur in <u>two</u> places. &nbsp; First, the user interface should filter out typographic errors before attempting to submit anything to the host. &nbsp; But second, the host should validate everything it receives, both syntactically then semantically. &nbsp; I am of the opinion that, if anything <em>is</em> found to be wrong in second-stage verification, the host perhaps should throw-out all of it, and perhaps using <tt>400 Bad Request</tt>. &nbsp; Ditto the presence of &ldquo;unexpected&rdquo; parameters in the input, on the rationale that it is &ldquo;a bug, at best&rdquo; for them to be present. &nbsp; The client-side validation is for user convenience (and to reduce network bandwidth); the second is for the server&rsquo;s own protection <em>and</em> to facilitate the detection of legitimate errors &ldquo;somewhere&rdquo; in the software. &nbsp; (Even in 100%-innocuous scenarios, the hardest thing about troubleshooting any problem is knowing that a problem exists.) </p> 1011634 1011634