On Thursday, June 27, 2013 8:52:14 PM UTC+8, Anthony wrote: > > On Thursday, June 27, 2013 8:39:23 AM UTC-4, Ray (a.k.a. Iceberg) wrote: > >> Thanks for trying to help. But sorry I don't understand how your theory >> can explain why the 2nd case in my example works and 3rd case didn't. >> > > The second case is equivalent to a form including both fields but the user > leaving the bar input empty. The third case is equivalent to excluding the > bar field from the form altogether (e.g., by setting its writable attribute > to False) -- in that case, it is not validated. Note, you can also set > required=True if you want the DAL to require a value for a given field -- > that works independently of the validators (and you can set notnull=True in > order to have the database raise an error when no value is inserted). > > Anthony >
That makes sense. Thanks. And then it raises another concern: when in the normal form situation, is it possible a user forges an http post without several field, in order to bypass the IS_NOT_EMPTY() or whatever validator? Is this a security vulnerability? -- --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.