I understand. That is intended. That is a security mechanism. You must use SQLFORM(...,hidden=...)
On Oct 24, 11:46 pm, Ruiwen Chua <rwc...@gmail.com> wrote: > Yes, the hidden input values do seem to appear in request.post_vars. > > I call form.accepts(), like so: form.accepts(request.post_vars, > formname=None) > > And even so, only the non-hidden field is saved to the database. > > On Oct 25, 12:43 pm, mdipierro <mdipie...@cs.depaul.edu> wrote: > > > The hidden fields will be in request.vars but not in form.vars because > > accepts does not know they are supposed to be there and protects you > > from injection attacks. > > > You can also try use this: > > > form=SQLFORM(....,hidden=dict(key='value')) > > > Massimo > > > On Oct 24, 11:39 pm, Ruiwen Chua <rwc...@gmail.com> wrote: > > > > Apologies, I wasn't clear. I meant that the form in the view is static > > > HTML and not generated by SQLFORM. > > > > However, in the action that receives the POST, I instantiate a new > > > SQLFORM for that model and pass request.post_vars to it. > > > > On Oct 25, 12:30 pm, mdipierro <mdipie...@cs.depaul.edu> wrote: > > > > > if you use > > > > > form.accepts() > > > > > what is form if you do not use FORM or SQLFORM? > > > > > On Oct 24, 11:27 pm, Ruiwen Chua <rwc...@gmail.com> wrote: > > > > > > Hi all, > > > > > > I have created a manual HTML form (not FORM() or SQLFORM()) that has a > > > > > few hidden fields (ie. <input type="hidden">..) > > > > > > When this form posts back to the controller, form.accepts() returns > > > > > True, but only the non-hidden field (there is only one, the rest are > > > > > hidden) is saved to the database. The other fields all get saved as > > > > > NULL. > > > > > > Is there something I'm missing? > > > > > > Thanks > >