Ok, so I wrote some UNPROTECTED jquery/django code to pass filters to
the database. Through a combination of drop down boxes and user input
boxes (exactly like you would see in iTunes), I am using jquery to
construct the filter.
As an example, let's say the user selects in the first drop down:
"Year". For the second drop down: "is". The last is an input box
where the user enters "2005." This criteria is put into an array/
dictionary:
[
{"includes": [["year__iexact", "2005"]],
"excludes": []},
"all"
]
"includes"/"excludes" separates the criteria like "is", "is before"
from things like "is not"
"all" designates that the filter should "match all", not "match any"
This is converted to JSON:
[{"includes":[["year__iexact","2005"]],"excludes":[]},"all"]
and posted to django.
The view in django then puts the data into the filter:
incdict[ filter[0].encode('utf-8') ] = filter[1].encode('utf-8')
This becomes:
incdict[ 'year__iexact' ] = 2005
That is fed into the query:
query_set = Film.objects.filter(**incdict)
Ok, I hope that was clear. What I ask now is how to protect against
the unscrupulous user who seeps to bypass/exploit the input. Do I
need to escape special characters? Data validation? What is the best
way to protect the system?
Ed
On Nov 12, 7:27 am, Masklinn <maskl...@masklinn.net> wrote:
> On 2010-11-12, at 13:20 , Ed wrote:
>
>
>
> > It seems simple from a SQL point of view, but I'm wondering what the
> > best implementation would be from to go from a django form to MySQL.
> > The above is an example. In practice, I would want to dynamically
> > populate the filter criteria/fields. Any suggestions on a starting
> > point?
>
> Create a strict translator (remember that your users can and will try to
> bypass/exploit whatever you give them, including selects) from whatever your
> form returns to a dict, which will be sent to .filter as a **kwargs?
--
You received this message because you are subscribed to the Google Groups
"Django users" group.
To post to this group, send email to django-us...@googlegroups.com.
To unsubscribe from this group, send email to
django-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/django-users?hl=en.
