Mmm I am not sure of this but I guest that this number is not a primary key
(pk start in 1 not in 0 in  postgres and mysql), it is a formset control
number used by formset for group fields in the server side ( for create
forms in correct order also)


El miércoles, 27 de mayo de 2015, Matthias Müller <mmbln...@gmail.com>
escribió:
>> Just in general, is it a good idea to expose primary keys like this?
sometimes you can see them in urls too, like: www.yoursite/blog/1/,  1
would be the primary key of a blog.
>
> It's an easy way to refer to an object. Unless there is a secure
connection it's this is IMHO the best way to refer to the object.
> Of cause you can do it complicated ( with look up tables on the server
etc. )  but the result matters.
> And I like to keep my life and my apps simple <
https://mail.google.com/mail/e/softbank_ne_jp/337>
> 2015-05-27 16:05 GMT+02:00 Cheng Guo <cheng....@gmail.com>:
>>
>> Thank you! Yes, I forgot about the csrf. You are right, it would be
difficult to fake the CSRF string.
>> Just in general, is it a good idea to expose primary keys like this?
sometimes you can see them in urls too, like: www.yoursite/blog/1/,  1
would be the primary key of a blog.
>> On Wednesday, 27 May 2015 22:01:37 UTC+8, Matthias Müller wrote:
>>>
>>> Without looking at the link I guess that you explantion is more or less
correct.
>>> But it's not a security issue that the database is updated by a form.
It has to be updated by a form. To make it a correct django form there is a
hidden field with the CSRF token. This protects the database being updated
from any illegal source.
>>> In your example there is this csrf missing, Most probably for
didactical reasons.
>>> Refer to https://docs.djangoproject.com/en/1.8/ref/csrf/
>>> Cheers
>>> Matthias
>>> 2015-05-27 15:47 GMT+02:00 Cheng Guo <chen...@gmail.com>:
>>>>
>>>> Hello,
>>>>
>>>> I have a formset and when I render it, Django would include this line
in the HTML:
>>>>
>>>> <input id="id_form-0-id" name="form-0-id" type="hidden">
>>>>
>>>> I am curious what is the purpose of having an id field here.
>>>>
>>>> I mean in what situation would you use it. I did look through
Django's documentation on formsetbut cannot find much documentation on this.
>>>>
>>>> One answer I got is that this id field is the value of the primary key
of the model bound to this form. It is there so that when the formset
updates, people can use it to retrieve the corresponding record from the
database.
>>>> Is the above explaination correct?
>>>> If this explaination is correct, then my next question is, wouldn't it
be dangerous to expose the primary key like that? I can make a post call to
your server with a modified pk which can mess up your database.
>>>> Thank you!
>>>>
>>>> --
>>>> You received this message because you are subscribed to the Google
Groups "Django users" group.
>>>> To unsubscribe from this group and stop receiving emails from it, send
an email to django-users...@googlegroups.com.
>>>> To post to this group, send email to django...@googlegroups.com.
>>>> Visit this group at http://groups.google.com/group/django-users.
>>>> To view this discussion on the web visit
https://groups.google.com/d/msgid/django-users/18e0d250-c4a9-4060-ae4f-19afb57566e0%40googlegroups.com
.
>>>> For more options, visit https://groups.google.com/d/optout.
>>>
>> --
>> You received this message because you are subscribed to the Google
Groups "Django users" group.
>> To unsubscribe from this group and stop receiving emails from it, send
an email to django-users+unsubscr...@googlegroups.com.
>> To post to this group, send email to django-users@googlegroups.com.
>> Visit this group at http://groups.google.com/group/django-users.
>> To view this discussion on the web visit
https://groups.google.com/d/msgid/django-users/285ee494-8b28-42cd-8af9-4cb33983a82c%40googlegroups.com
.
>> For more options, visit https://groups.google.com/d/optout.
>
> --
> You received this message because you are subscribed to the Google Groups
"Django users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
email to django-users+unsubscr...@googlegroups.com.
> To post to this group, send email to django-users@googlegroups.com.
> Visit this group at http://groups.google.com/group/django-users.
> To view this discussion on the web visit
https://groups.google.com/d/msgid/django-users/CAA2xsHSSy03DSHaBfT4RNxv4zYJUBTdySLvg__mjMDheSemE4w%40mail.gmail.com
.
> For more options, visit https://groups.google.com/d/optout.
>

-- 
"La utopía sirve para caminar" Fernando Birri

-- 
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-users+unsubscr...@googlegroups.com.
To post to this group, send email to django-users@googlegroups.com.
Visit this group at http://groups.google.com/group/django-users.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-users/CAG%2B5VyMWvzFEYCR9KESXpqFYErbmX0XmYtOW_oReu4qs35b7Uw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to