On 21 Jun 2006, at 17:48, James Bennett wrote:
> And while we're at it, let's get serious about input handling. The
> first thing which occurs to me is to add a 'hasNoHTML' validator in
> django.core.validators; possibly this would be accompanied by a
> boolean 'allows_html' argument to TextFields and CharFields, or maybe
> we just advertise judicious use of validator_list. Either way, the
> documentation should emphasize as strongly as possible that it exists
> and should be used.
Completely agree on input handling. Django's current validation stuff
is reasonable but it's not quite good enough - there are some crufty
things in the existing system (do_html2python is one particularly
noticeable wart) but it's still not easy enough to see how you would
validate a form that is nothing to do with a data model - a "contact
me" form for example. The manipulator API simply isn't easy enough to
use.
More to the point though, the smartest technique for input validation
I've seen is this kind of thing:
email = get_valid_email_address_from_GET_field('email')
age = get_positive_integer_from_POST_field('age')
date = get_python_date_from_GET_field('date')
Obviously those are ludicrous function names, but it should be clear
what they are doing. Rather than directly accessing GET and POST data
you do it through some mechanism that /guarantees/ the format of the
data returned - and raises an exception if it can't make that
guarantee. There is no possible way of invalid data ending up in the
email and age variables, so once you're past that bit of code you can
continue safe in the knowledge that the data is at least in the right
format.
Obviously I haven't figured out exactly how the API for this should
look, but I think the core concept is really powerful.
Cheers,
Simon
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Django developers" group.
To post to this group, send email to django-developers@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/django-developers
-~----------~----~----~----~------~----~------~--~---
