[web2py] Re: Hidden form fields not accepted by form.accept()?
On Oct 25, 7:54 pm, mdipierro wrote:
> On Oct 25, 1:17 am, Ruiwen Chua wrote:
>
> > I see. So form.accept() will not parse any field unless explicitly
> > defined in SQLFORM?
>
> > (Ok I'm not sure if I should start another thread for this, but a few
> > issues I found with using SQLFORM.. so perhaps I'm still doing
> > something wrong.)
>
> > a) I have multiple forms (for the same model) on a page, now generated
> > using SQLFORM
>
> > However, each generated SQLFORM gives identical id attributes in the
> > s it generates, and that breaks validation
>
> http://www.web2py.com/book/default/chapter/07#Multiple-forms-per-page
>
Thanks for the pointer. I just tried the example on that page and got:
in the_view.html
and in thecontroller.py
f1 = SQLFORM(db.answer, formstyle='divs')
f2 = SQLFORM(db.answer, formstyle='divs')
if f1.accepts(request.vars, formname='form_one'):
response.flash = 'form one accepted'
if f2.accepts(request.vars, formname='form_two'):
response.flash = 'form two accepted'
The issue with duplicate HTML id attributes I'm referring to is such:
Note that "" and " " both appear twice, once for each form.
As far as I know, HTML id attributes shouldn't repeat in the same HTML
document. So I'm not too sure if this behaviour is intentional?
> > b) I need these forms to post to a different controller from the one
> > that generated them (via normal post or AJAX)
>
> > What's the best way to get the receiving controller to recognise the
> > incoming form with the hidden fields, seeing as it was generated in a
> > different controller?
>
> If you have the form object:
> accpets(request.post_vars,None,formname=None)
> If you do not just use request.vars and do an db io manually.
> Using a different controller function breaks validation.
Unfortunately, I don't have the original form object, since it was
generated in another controller, say A, while I'm posting to
controller B.
I got around this issue by instantiating a new SQLFORM in the
receiving controller, then calling form.accepts(...) on it.
Seems to work that way.
> Thanks for the help so far though.
>
> > On Oct 25, 1:15 pm, mdipierro wrote:
>
> > > Say you have:
>
> > > db.define_table('user',Field('name'),Field('manager',writable=False,default
> > > ='no')
>
> > > and a registration form:
>
> > > def register():
> > > form=SQLFORM(db.user)
> > > form.accepts(request.vars)
>
> > > If attackers were allowed to do
>
> > > http://.../register?name=me&manager=yes
>
> > > they would be able to change the manager status even if it does not
> > > appears in the form. Only fields that are declared as writable and
> > > visible to SQLFORM can be inserted in the db.
>
> > > web2py has lots of security mechanisms and we are working on even
> > > more!
>
> > > Massimo
>
> > > On Oct 25, 12:07 am, Ruiwen Chua wrote:
>
> > > > Thanks for the clarification.
>
> > > > Though, in what way is this a security mechanism?
>
> > > > On Oct 25, 1:03 pm, mdipierro wrote:
>
> > > > > I understand. That is intended. That is a security mechanism.
> > > > > You must use SQLFORM(...,hidden=...)
>
> > > > > On Oct 24, 11:46 pm, Ruiwen Chua wrote:
>
> > > > > > Yes, the hidden input values do seem to appear in request.post_vars.
>
> > > > > > I call form.accepts(), like so: form.accepts(request.post_vars,
> > > > > > formname=None)
>
> > > > > > And even so, only the non-hidden field is saved to the database.
>
> > > > > > On Oct 25, 12:43 pm, mdipierro wrote:
>
> > > > > > > The hidden fields will be in request.vars but not in form.vars
> > > > > > > because
> > > > > > > accepts does not know they are supposed to be there and protects
> > > > > > > you
> > > > > > > from injection attacks.
>
> > > > > > > You can also try use this:
>
> > > > > > > form=SQLFORM(,hidden=dict(key='value'))
>
> > > > > > > Massimo
>
> > > > > > > On Oct 24, 11:39 pm, Ruiwen Chua wrote:
>
> > > > > > > > Apologies, I wasn't clear. I meant that the form in the view is
> > > > > > > > static
> > > > > > > > HTML and not generated by SQLFORM.
>
> > > > > > > > However, in the action that receives the POST, I instantiate a
> > > > > > > > new
> > > > > > > > SQLFORM for that model and pass request.post_vars to it.
>
> > > > > > > > On Oct 25, 12:30 pm, mdipierro wrote:
>
> > > > > > > > > if you use
>
> > > > > > > > > form.accepts()
>
> > > > > > > > > what is form if you do not use FORM or SQLFORM?
>
> > > > > > > > > On Oct 24, 11:27 pm, Ruiwen Chua wrote:
>
> > > > > > > > > > Hi all,
>
> > > > > > > > > > I have created a manual HTML form (not FORM() or SQLFORM())
> > > > > > > > > > that has a
> > > > > > > > > > few hidden fields (ie. ..)
>
> > > > > > > > > > When this form posts back to the controller, form
[web2py] Re: Hidden form fields not accepted by form.accept()?
On Oct 25, 1:17 am, Ruiwen Chua wrote:
> I see. So form.accept() will not parse any field unless explicitly
> defined in SQLFORM?
>
> (Ok I'm not sure if I should start another thread for this, but a few
> issues I found with using SQLFORM.. so perhaps I'm still doing
> something wrong.)
>
> a) I have multiple forms (for the same model) on a page, now generated
> using SQLFORM
>
> However, each generated SQLFORM gives identical id attributes in the
> s it generates, and that breaks validation
http://www.web2py.com/book/default/chapter/07#Multiple-forms-per-page
> b) I need these forms to post to a different controller from the one
> that generated them (via normal post or AJAX)
>
> What's the best way to get the receiving controller to recognise the
> incoming form with the hidden fields, seeing as it was generated in a
> different controller?
If you have the form object:
accpets(request.post_vars,None,formname=None)
If you do not just use request.vars and do an db io manually.
Using a different controller function breaks validation.
> Thanks for the help so far though.
>
> On Oct 25, 1:15 pm, mdipierro wrote:
>
> > Say you have:
>
> > db.define_table('user',Field('name'),Field('manager',writable=False,default
> > ='no')
>
> > and a registration form:
>
> > def register():
> > form=SQLFORM(db.user)
> > form.accepts(request.vars)
>
> > If attackers were allowed to do
>
> > http://.../register?name=me&manager=yes
>
> > they would be able to change the manager status even if it does not
> > appears in the form. Only fields that are declared as writable and
> > visible to SQLFORM can be inserted in the db.
>
> > web2py has lots of security mechanisms and we are working on even
> > more!
>
> > Massimo
>
> > On Oct 25, 12:07 am, Ruiwen Chua wrote:
>
> > > Thanks for the clarification.
>
> > > Though, in what way is this a security mechanism?
>
> > > On Oct 25, 1:03 pm, mdipierro wrote:
>
> > > > I understand. That is intended. That is a security mechanism.
> > > > You must use SQLFORM(...,hidden=...)
>
> > > > On Oct 24, 11:46 pm, Ruiwen Chua wrote:
>
> > > > > Yes, the hidden input values do seem to appear in request.post_vars.
>
> > > > > I call form.accepts(), like so: form.accepts(request.post_vars,
> > > > > formname=None)
>
> > > > > And even so, only the non-hidden field is saved to the database.
>
> > > > > On Oct 25, 12:43 pm, mdipierro wrote:
>
> > > > > > The hidden fields will be in request.vars but not in form.vars
> > > > > > because
> > > > > > accepts does not know they are supposed to be there and protects you
> > > > > > from injection attacks.
>
> > > > > > You can also try use this:
>
> > > > > > form=SQLFORM(,hidden=dict(key='value'))
>
> > > > > > Massimo
>
> > > > > > On Oct 24, 11:39 pm, Ruiwen Chua wrote:
>
> > > > > > > Apologies, I wasn't clear. I meant that the form in the view is
> > > > > > > static
> > > > > > > HTML and not generated by SQLFORM.
>
> > > > > > > However, in the action that receives the POST, I instantiate a new
> > > > > > > SQLFORM for that model and pass request.post_vars to it.
>
> > > > > > > On Oct 25, 12:30 pm, mdipierro wrote:
>
> > > > > > > > if you use
>
> > > > > > > > form.accepts()
>
> > > > > > > > what is form if you do not use FORM or SQLFORM?
>
> > > > > > > > On Oct 24, 11:27 pm, Ruiwen Chua wrote:
>
> > > > > > > > > Hi all,
>
> > > > > > > > > I have created a manual HTML form (not FORM() or SQLFORM())
> > > > > > > > > that has a
> > > > > > > > > few hidden fields (ie. ..)
>
> > > > > > > > > When this form posts back to the controller, form.accepts()
> > > > > > > > > returns
> > > > > > > > > True, but only the non-hidden field (there is only one, the
> > > > > > > > > rest are
> > > > > > > > > hidden) is saved to the database. The other fields all get
> > > > > > > > > saved as
> > > > > > > > > NULL.
>
> > > > > > > > > Is there something I'm missing?
>
> > > > > > > > > Thanks
>
>
[web2py] Re: Hidden form fields not accepted by form.accept()?
I see. So form.accept() will not parse any field unless explicitly
defined in SQLFORM?
(Ok I'm not sure if I should start another thread for this, but a few
issues I found with using SQLFORM.. so perhaps I'm still doing
something wrong.)
a) I have multiple forms (for the same model) on a page, now generated
using SQLFORM
However, each generated SQLFORM gives identical id attributes in the
s it generates, and that breaks validation
b) I need these forms to post to a different controller from the one
that generated them (via normal post or AJAX)
What's the best way to get the receiving controller to recognise the
incoming form with the hidden fields, seeing as it was generated in a
different controller?
Thanks for the help so far though.
On Oct 25, 1:15 pm, mdipierro wrote:
> Say you have:
>
> db.define_table('user',Field('name'),Field('manager',writable=False,default
> ='no')
>
> and a registration form:
>
> def register():
> form=SQLFORM(db.user)
> form.accepts(request.vars)
>
> If attackers were allowed to do
>
> http://.../register?name=me&manager=yes
>
> they would be able to change the manager status even if it does not
> appears in the form. Only fields that are declared as writable and
> visible to SQLFORM can be inserted in the db.
>
> web2py has lots of security mechanisms and we are working on even
> more!
>
> Massimo
>
> On Oct 25, 12:07 am, Ruiwen Chua wrote:
>
>
>
>
>
>
>
> > Thanks for the clarification.
>
> > Though, in what way is this a security mechanism?
>
> > On Oct 25, 1:03 pm, mdipierro wrote:
>
> > > I understand. That is intended. That is a security mechanism.
> > > You must use SQLFORM(...,hidden=...)
>
> > > On Oct 24, 11:46 pm, Ruiwen Chua wrote:
>
> > > > Yes, the hidden input values do seem to appear in request.post_vars.
>
> > > > I call form.accepts(), like so: form.accepts(request.post_vars,
> > > > formname=None)
>
> > > > And even so, only the non-hidden field is saved to the database.
>
> > > > On Oct 25, 12:43 pm, mdipierro wrote:
>
> > > > > The hidden fields will be in request.vars but not in form.vars because
> > > > > accepts does not know they are supposed to be there and protects you
> > > > > from injection attacks.
>
> > > > > You can also try use this:
>
> > > > > form=SQLFORM(,hidden=dict(key='value'))
>
> > > > > Massimo
>
> > > > > On Oct 24, 11:39 pm, Ruiwen Chua wrote:
>
> > > > > > Apologies, I wasn't clear. I meant that the form in the view is
> > > > > > static
> > > > > > HTML and not generated by SQLFORM.
>
> > > > > > However, in the action that receives the POST, I instantiate a new
> > > > > > SQLFORM for that model and pass request.post_vars to it.
>
> > > > > > On Oct 25, 12:30 pm, mdipierro wrote:
>
> > > > > > > if you use
>
> > > > > > > form.accepts()
>
> > > > > > > what is form if you do not use FORM or SQLFORM?
>
> > > > > > > On Oct 24, 11:27 pm, Ruiwen Chua wrote:
>
> > > > > > > > Hi all,
>
> > > > > > > > I have created a manual HTML form (not FORM() or SQLFORM())
> > > > > > > > that has a
> > > > > > > > few hidden fields (ie. ..)
>
> > > > > > > > When this form posts back to the controller, form.accepts()
> > > > > > > > returns
> > > > > > > > True, but only the non-hidden field (there is only one, the
> > > > > > > > rest are
> > > > > > > > hidden) is saved to the database. The other fields all get
> > > > > > > > saved as
> > > > > > > > NULL.
>
> > > > > > > > Is there something I'm missing?
>
> > > > > > > > Thanks
[web2py] Re: Hidden form fields not accepted by form.accept()?
Say you have:
db.define_table('user',Field('name'),Field('manager',writable=False,default='no')
and a registration form:
def register():
form=SQLFORM(db.user)
form.accepts(request.vars)
If attackers were allowed to do
http://.../register?name=me&manager=yes
they would be able to change the manager status even if it does not
appears in the form. Only fields that are declared as writable and
visible to SQLFORM can be inserted in the db.
web2py has lots of security mechanisms and we are working on even
more!
Massimo
On Oct 25, 12:07 am, Ruiwen Chua wrote:
> Thanks for the clarification.
>
> Though, in what way is this a security mechanism?
>
> On Oct 25, 1:03 pm, mdipierro wrote:
>
> > I understand. That is intended. That is a security mechanism.
> > You must use SQLFORM(...,hidden=...)
>
> > On Oct 24, 11:46 pm, Ruiwen Chua wrote:
>
> > > Yes, the hidden input values do seem to appear in request.post_vars.
>
> > > I call form.accepts(), like so: form.accepts(request.post_vars,
> > > formname=None)
>
> > > And even so, only the non-hidden field is saved to the database.
>
> > > On Oct 25, 12:43 pm, mdipierro wrote:
>
> > > > The hidden fields will be in request.vars but not in form.vars because
> > > > accepts does not know they are supposed to be there and protects you
> > > > from injection attacks.
>
> > > > You can also try use this:
>
> > > > form=SQLFORM(,hidden=dict(key='value'))
>
> > > > Massimo
>
> > > > On Oct 24, 11:39 pm, Ruiwen Chua wrote:
>
> > > > > Apologies, I wasn't clear. I meant that the form in the view is static
> > > > > HTML and not generated by SQLFORM.
>
> > > > > However, in the action that receives the POST, I instantiate a new
> > > > > SQLFORM for that model and pass request.post_vars to it.
>
> > > > > On Oct 25, 12:30 pm, mdipierro wrote:
>
> > > > > > if you use
>
> > > > > > form.accepts()
>
> > > > > > what is form if you do not use FORM or SQLFORM?
>
> > > > > > On Oct 24, 11:27 pm, Ruiwen Chua wrote:
>
> > > > > > > Hi all,
>
> > > > > > > I have created a manual HTML form (not FORM() or SQLFORM()) that
> > > > > > > has a
> > > > > > > few hidden fields (ie. ..)
>
> > > > > > > When this form posts back to the controller, form.accepts()
> > > > > > > returns
> > > > > > > True, but only the non-hidden field (there is only one, the rest
> > > > > > > are
> > > > > > > hidden) is saved to the database. The other fields all get saved
> > > > > > > as
> > > > > > > NULL.
>
> > > > > > > Is there something I'm missing?
>
> > > > > > > Thanks
>
>
[web2py] Re: Hidden form fields not accepted by form.accept()?
Thanks for the clarification. Though, in what way is this a security mechanism? On Oct 25, 1:03 pm, mdipierro wrote: > I understand. That is intended. That is a security mechanism. > You must use SQLFORM(...,hidden=...) > > On Oct 24, 11:46 pm, Ruiwen Chua wrote: > > > > > > > > > Yes, the hidden input values do seem to appear in request.post_vars. > > > I call form.accepts(), like so: form.accepts(request.post_vars, > > formname=None) > > > And even so, only the non-hidden field is saved to the database. > > > On Oct 25, 12:43 pm, mdipierro wrote: > > > > The hidden fields will be in request.vars but not in form.vars because > > > accepts does not know they are supposed to be there and protects you > > > from injection attacks. > > > > You can also try use this: > > > > form=SQLFORM(,hidden=dict(key='value')) > > > > Massimo > > > > On Oct 24, 11:39 pm, Ruiwen Chua wrote: > > > > > Apologies, I wasn't clear. I meant that the form in the view is static > > > > HTML and not generated by SQLFORM. > > > > > However, in the action that receives the POST, I instantiate a new > > > > SQLFORM for that model and pass request.post_vars to it. > > > > > On Oct 25, 12:30 pm, mdipierro wrote: > > > > > > if you use > > > > > > form.accepts() > > > > > > what is form if you do not use FORM or SQLFORM? > > > > > > On Oct 24, 11:27 pm, Ruiwen Chua wrote: > > > > > > > Hi all, > > > > > > > I have created a manual HTML form (not FORM() or SQLFORM()) that > > > > > > has a > > > > > > few hidden fields (ie. ..) > > > > > > > When this form posts back to the controller, form.accepts() returns > > > > > > True, but only the non-hidden field (there is only one, the rest are > > > > > > hidden) is saved to the database. The other fields all get saved as > > > > > > NULL. > > > > > > > Is there something I'm missing? > > > > > > > Thanks
[web2py] Re: Hidden form fields not accepted by form.accept()?
I understand. That is intended. That is a security mechanism. You must use SQLFORM(...,hidden=...) On Oct 24, 11:46 pm, Ruiwen Chua wrote: > Yes, the hidden input values do seem to appear in request.post_vars. > > I call form.accepts(), like so: form.accepts(request.post_vars, > formname=None) > > And even so, only the non-hidden field is saved to the database. > > On Oct 25, 12:43 pm, mdipierro wrote: > > > The hidden fields will be in request.vars but not in form.vars because > > accepts does not know they are supposed to be there and protects you > > from injection attacks. > > > You can also try use this: > > > form=SQLFORM(,hidden=dict(key='value')) > > > Massimo > > > On Oct 24, 11:39 pm, Ruiwen Chua wrote: > > > > Apologies, I wasn't clear. I meant that the form in the view is static > > > HTML and not generated by SQLFORM. > > > > However, in the action that receives the POST, I instantiate a new > > > SQLFORM for that model and pass request.post_vars to it. > > > > On Oct 25, 12:30 pm, mdipierro wrote: > > > > > if you use > > > > > form.accepts() > > > > > what is form if you do not use FORM or SQLFORM? > > > > > On Oct 24, 11:27 pm, Ruiwen Chua wrote: > > > > > > Hi all, > > > > > > I have created a manual HTML form (not FORM() or SQLFORM()) that has a > > > > > few hidden fields (ie. ..) > > > > > > When this form posts back to the controller, form.accepts() returns > > > > > True, but only the non-hidden field (there is only one, the rest are > > > > > hidden) is saved to the database. The other fields all get saved as > > > > > NULL. > > > > > > Is there something I'm missing? > > > > > > Thanks > >
[web2py] Re: Hidden form fields not accepted by form.accept()?
Yes, the hidden input values do seem to appear in request.post_vars. I call form.accepts(), like so: form.accepts(request.post_vars, formname=None) And even so, only the non-hidden field is saved to the database. On Oct 25, 12:43 pm, mdipierro wrote: > The hidden fields will be in request.vars but not in form.vars because > accepts does not know they are supposed to be there and protects you > from injection attacks. > > You can also try use this: > > form=SQLFORM(,hidden=dict(key='value')) > > Massimo > > On Oct 24, 11:39 pm, Ruiwen Chua wrote: > > > > > > > > > Apologies, I wasn't clear. I meant that the form in the view is static > > HTML and not generated by SQLFORM. > > > However, in the action that receives the POST, I instantiate a new > > SQLFORM for that model and pass request.post_vars to it. > > > On Oct 25, 12:30 pm, mdipierro wrote: > > > > if you use > > > > form.accepts() > > > > what is form if you do not use FORM or SQLFORM? > > > > On Oct 24, 11:27 pm, Ruiwen Chua wrote: > > > > > Hi all, > > > > > I have created a manual HTML form (not FORM() or SQLFORM()) that has a > > > > few hidden fields (ie. ..) > > > > > When this form posts back to the controller, form.accepts() returns > > > > True, but only the non-hidden field (there is only one, the rest are > > > > hidden) is saved to the database. The other fields all get saved as > > > > NULL. > > > > > Is there something I'm missing? > > > > > Thanks
[web2py] Re: Hidden form fields not accepted by form.accept()?
The hidden fields will be in request.vars but not in form.vars because accepts does not know they are supposed to be there and protects you from injection attacks. You can also try use this: form=SQLFORM(,hidden=dict(key='value')) Massimo On Oct 24, 11:39 pm, Ruiwen Chua wrote: > Apologies, I wasn't clear. I meant that the form in the view is static > HTML and not generated by SQLFORM. > > However, in the action that receives the POST, I instantiate a new > SQLFORM for that model and pass request.post_vars to it. > > On Oct 25, 12:30 pm, mdipierro wrote: > > > if you use > > > form.accepts() > > > what is form if you do not use FORM or SQLFORM? > > > On Oct 24, 11:27 pm, Ruiwen Chua wrote: > > > > Hi all, > > > > I have created a manual HTML form (not FORM() or SQLFORM()) that has a > > > few hidden fields (ie. ..) > > > > When this form posts back to the controller, form.accepts() returns > > > True, but only the non-hidden field (there is only one, the rest are > > > hidden) is saved to the database. The other fields all get saved as > > > NULL. > > > > Is there something I'm missing? > > > > Thanks > >
[web2py] Re: Hidden form fields not accepted by form.accept()?
Apologies, I wasn't clear. I meant that the form in the view is static HTML and not generated by SQLFORM. However, in the action that receives the POST, I instantiate a new SQLFORM for that model and pass request.post_vars to it. On Oct 25, 12:30 pm, mdipierro wrote: > if you use > > form.accepts() > > what is form if you do not use FORM or SQLFORM? > > On Oct 24, 11:27 pm, Ruiwen Chua wrote: > > > > > > > > > Hi all, > > > I have created a manual HTML form (not FORM() or SQLFORM()) that has a > > few hidden fields (ie. ..) > > > When this form posts back to the controller, form.accepts() returns > > True, but only the non-hidden field (there is only one, the rest are > > hidden) is saved to the database. The other fields all get saved as > > NULL. > > > Is there something I'm missing? > > > Thanks
[web2py] Re: Hidden form fields not accepted by form.accept()?
if you use form.accepts() what is form if you do not use FORM or SQLFORM? On Oct 24, 11:27 pm, Ruiwen Chua wrote: > Hi all, > > I have created a manual HTML form (not FORM() or SQLFORM()) that has a > few hidden fields (ie. ..) > > When this form posts back to the controller, form.accepts() returns > True, but only the non-hidden field (there is only one, the rest are > hidden) is saved to the database. The other fields all get saved as > NULL. > > Is there something I'm missing? > > Thanks
