I see. So form.accept() will not parse any field unless explicitly
defined in SQLFORM?
(Ok I'm not sure if I should start another thread for this, but a few
issues I found with using SQLFORM.. so perhaps I'm still doing
something wrong.)
a) I have multiple forms (for the same model) on a page, now generated
using SQLFORM
However, each generated SQLFORM gives identical id attributes in the
<div>s it generates, and that breaks validation
b) I need these forms to post to a different controller from the one
that generated them (via normal post or AJAX)
What's the best way to get the receiving controller to recognise the
incoming form with the hidden fields, seeing as it was generated in a
different controller?
Thanks for the help so far though.
On Oct 25, 1:15 pm, mdipierro <mdipie...@cs.depaul.edu> wrote:
> Say you have:
>
> db.define_table('user',Field('name'),Field('manager',writable=False,default
> ='no')
>
> and a registration form:
>
> def register():
> form=SQLFORM(db.user)
> form.accepts(request.vars)
>
> If attackers were allowed to do
>
> http://.../register?name=me&manager=yes
>
> they would be able to change the manager status even if it does not
> appears in the form. Only fields that are declared as writable and
> visible to SQLFORM can be inserted in the db.
>
> web2py has lots of security mechanisms and we are working on even
> more!
>
> Massimo
>
> On Oct 25, 12:07 am, Ruiwen Chua <rwc...@gmail.com> wrote:
>
>
>
>
>
>
>
> > Thanks for the clarification.
>
> > Though, in what way is this a security mechanism?
>
> > On Oct 25, 1:03 pm, mdipierro <mdipie...@cs.depaul.edu> wrote:
>
> > > I understand. That is intended. That is a security mechanism.
> > > You must use SQLFORM(...,hidden=...)
>
> > > On Oct 24, 11:46 pm, Ruiwen Chua <rwc...@gmail.com> wrote:
>
> > > > Yes, the hidden input values do seem to appear in request.post_vars.
>
> > > > I call form.accepts(), like so: form.accepts(request.post_vars,
> > > > formname=None)
>
> > > > And even so, only the non-hidden field is saved to the database.
>
> > > > On Oct 25, 12:43 pm, mdipierro <mdipie...@cs.depaul.edu> wrote:
>
> > > > > The hidden fields will be in request.vars but not in form.vars because
> > > > > accepts does not know they are supposed to be there and protects you
> > > > > from injection attacks.
>
> > > > > You can also try use this:
>
> > > > > form=SQLFORM(....,hidden=dict(key='value'))
>
> > > > > Massimo
>
> > > > > On Oct 24, 11:39 pm, Ruiwen Chua <rwc...@gmail.com> wrote:
>
> > > > > > Apologies, I wasn't clear. I meant that the form in the view is
> > > > > > static
> > > > > > HTML and not generated by SQLFORM.
>
> > > > > > However, in the action that receives the POST, I instantiate a new
> > > > > > SQLFORM for that model and pass request.post_vars to it.
>
> > > > > > On Oct 25, 12:30 pm, mdipierro <mdipie...@cs.depaul.edu> wrote:
>
> > > > > > > if you use
>
> > > > > > > form.accepts()
>
> > > > > > > what is form if you do not use FORM or SQLFORM?
>
> > > > > > > On Oct 24, 11:27 pm, Ruiwen Chua <rwc...@gmail.com> wrote:
>
> > > > > > > > Hi all,
>
> > > > > > > > I have created a manual HTML form (not FORM() or SQLFORM())
> > > > > > > > that has a
> > > > > > > > few hidden fields (ie. <input type="hidden">..)
>
> > > > > > > > When this form posts back to the controller, form.accepts()
> > > > > > > > returns
> > > > > > > > True, but only the non-hidden field (there is only one, the
> > > > > > > > rest are
> > > > > > > > hidden) is saved to the database. The other fields all get
> > > > > > > > saved as
> > > > > > > > NULL.
>
> > > > > > > > Is there something I'm missing?
>
> > > > > > > > Thanks
