That's the security part of using forms: Web2py doesn't count on what is coming in the request to make a form and validate.
It counts on your field definitions in form creation time. That's why we have the fields argument in SQLFORM and in SQLFORM.factory. When no field is explicitly passed, all fields are considered. Then, if some field doesn't com in request, it'll be considered empty. On Thu, Jun 27, 2013 at 10:16 AM, Ray (a.k.a. Iceberg) <iceb...@qq.com> wrote: > On Thursday, June 27, 2013 8:52:14 PM UTC+8, Anthony wrote: >> >> On Thursday, June 27, 2013 8:39:23 AM UTC-4, Ray (a.k.a. Iceberg) wrote: >>> >>> Thanks for trying to help. But sorry I don't understand how your theory >>> can explain why the 2nd case in my example works and 3rd case didn't. >> >> >> The second case is equivalent to a form including both fields but the user >> leaving the bar input empty. The third case is equivalent to excluding the >> bar field from the form altogether (e.g., by setting its writable attribute >> to False) -- in that case, it is not validated. Note, you can also set >> required=True if you want the DAL to require a value for a given field -- >> that works independently of the validators (and you can set notnull=True in >> order to have the database raise an error when no value is inserted). >> >> Anthony > > > That makes sense. Thanks. And then it raises another concern: when in the > normal form situation, is it possible a user forges an http post without > several field, in order to bypass the IS_NOT_EMPTY() or whatever validator? > Is this a security vulnerability? > > -- > > --- > You received this message because you are subscribed to the Google Groups > "web2py-users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to web2py+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/groups/opt_out. > > -- --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
