|Welcome to the Monastery|
Of course, you are right, and I have already implemented such checks at different levels of the application architecture.
Nevertheless, there is one situation where script A just should "pass" all parameters to another script B. To be precise, A generates HTML code with <a href> to B, where the href's URI contains all parameters which had been included in the call of A. Generating this link is done by generic code which is in a module which is used by several of the scripts; thus, when generating the link, the parameters are not checked. This is no security problem since B will check it's parameters for correctness when called.
In nearly all browsers, when moving the mouse to the generated link, the complete destination URI of the link, including the parameters, is visible (e.g. in the status bar). Now, if script A is called WITHOUT parameters (which is perfectly acceptable), the generated link to script B contained a query string ("?keywords=") where no query string should be.
This worries users, makes debugging more complicated, and is ugly, so I would like to change that.
I will do it the way which has been proposed above, but I was hoping that we could "configure" CGI.pm somehow to disable that behavour, or that there is another more elegant way.
In reply to Re^2: Unwanted parameter when executing CGI scripts