On Apr 23, 5:04 pm, Tipan <[EMAIL PROTECTED]> wrote:
> I'm seeking advice on how to ensure my form data in hidden fields is
> the same after the user has posted the form.
Sign it. The easiest way to do this would be something like this:
1. Throw all of the data you want to persist in a pickle, then base64
it for good measure:
pickled = pickle.dumps(my_data).encode('base64')
2. Use your secret key to calculate an MD5 signature:
signature = md5.new(SECRET_KEY + pickled).hexdigest()
3. Serve up the pickled data AND the signature as hidden fields.
Then when the user submits the form again, you can check that they
haven't tampered with the data by doing this:
pickled = request.POST.get('pickled', '')
signature = request.POST.get('signature', '')
if pickled:
if signature != md5.new(SECRET_KEY + pickled).hexdigest():
raise NastyError, "You tampered with my data!"
else:
my_data = pickle.loads(pickled.decode('base64'))
The same technique can be used in lots of other places - cookies for
example. The only way the user can tamper with the data you have sent
them is if they know your SECRET_KEY.
Hope that helps,
Simon Willison
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Django users" group.
To post to this group, send email to django-users@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/django-users?hl=en
-~----------~----~----~----~------~----~------~--~---
