The CSRF middleware probably would not provide a solution for this problem. It sets a hidden field with a value that is derived from hashing the session id with a secret, but I do not believe it sets a unique key per form. As long as the session was valid (assuming the app in question is using sessions) the CSRF may allow any number of form posts provided the correct hidden value is present.
Even if the middleware sets a form-specific key, a bot could be written to simply request a new form for each submission, thereby ensuring that all form posts are accepted. -richard On 5/15/08, Norman Harman <[EMAIL PROTECTED]> wrote: > > Mike Chambers wrote: > > I have a commenting app that requires that the item id, and content type > > id be passed through the form. > > > > This works fine, but i would like to encrypt that data to make it a > > little more difficult for people to programatically submit the form. > > > > Does anyone have any info on how to encrypted form data? I know how to > > hash it using MD5, and SHA1, etc... but that is only a one way hash. I > > dont want to have to loop through all of the possible values to compare > > the hashes as that could get to be expensive. > > > > Any suggestions? > > The standard http://www.djangoproject.com/documentation/csrf/ CSRF > protection middleware does something like that. > > Don't know details but could look there. > > If you're gonna 1way hash things such as 'id' and worry about speed then > store the 1way hashed value in database and do your lookups on that. > > -- > Norman J. Harman Jr. 512 912-5939 > Technology Solutions Group, Austin American-Statesman > ___________________________________________________________________________ > Get out and about this spring with the Statesman! In print and online, > the Statesman has the area's Best Bets and recreation events. > Pick up your copy today or go to statesman.com 24/7. > > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~----------~----~----~----~------~----~------~--~---
