Re: Newforms and Hidden Fields - verifying POST data

Fri, 27 Apr 2007 06:19:35 -0700 

Having implemented this solution, I'm now getting problems with
comparison differences between the hash that I pass in the form as a
hidden field and the hash of the data taken from the Form view.

If I look at the data before and after, it appears that the data from
the form object is using carriage returns rather than the \n newline
notation in the pre-post data.

My question is, does newforms processing change the data in a anyway.
I thought it might have been outputting as Unicode, but I've tried
decoding it before the hash check and there is no difference.

Any advice wlecome.

 Sample code below:

FORM class:
        user_data = forms.CharField(widget=forms.HiddenInput)
        signature=forms.CharField(max_length=100,
widget=forms.HiddenInput)

Pre-post view
......
        user_rates={} #create an empty dictionary
        pickle_data=Form_Pickle(rates_dict) #create pickle of user data
        user_rates['user_data']=pickle_data
        user_rates['signature']=Security_Hash(pickle_data) # create hash of
user data for checking after form posting
        form=RatesForm(user_rates) #create form instance bound to dictionary
data
render to response - form etc.

Post view handling:
   if request.method=='POST':
        form=MyForm(request.POST)
        if form.is_valid():
            form_data = form.clean_data['user_data']
            form_signature=form.clean_data['signature']
            if form_signature != Security_Hash(form_data):
                return HttpResponse(Data has been changed)
            else:
                code to process form data ....

def Form_Pickle(data):
        # creates a base 64 encoded pickle of the data passed
        pickled = pickle.dumps(data).encode('base64')
        return pickled

def Security_Hash(data):
        # calculates the security hash for data sent across
        signature = md5.new(settings.SECRET_KEY + data).hexdigest()
        return signature


--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To post to this group, send email to django-users@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at 
http://groups.google.com/group/django-users?hl=en
-~----------~----~----~----~------~----~------~--~---

Reply via email to