Weird Behavior of GET Request Parameters

[Bikash-Bhatta]

I was just tampering with the request sent in the URL, then I found that when I was entering sql queries it is not showing error.
Apart from that when I entered "?var=True"(so that all variables enterted become true), it throw me a message that email is verified.

This could be tampered other way to get into the system without being logged in.
It doesn't even throw error when I entered SQL query(or 'a'='a) which is again a problem.

This small loopholes leads to the breaking into the system so these should be fixed.

Solution

1. Change the request parameter from GET to POST, atleast one can be prevented to tamper with the URL because he will not get the idea from where to where request is being transferred.
2. Change the website script so that it will through error when variables, symbols and SQL queries are being entered.

[PeithonKing]

This can be solved easily by using the django messages framework.

The code will be more generalised and versatile in that way.

@Bikash-Bhatta Changed the name because I have read the archive code and know exactly where the problem is. Not displaying an error is actually a better reaction because in the backend actually it is not even reading the parameters. There is nothing you can do to break it when it is ignoring everything you say.