I am not concerned if they can send the hash back. I dont want them to be able to access the underling value that the hash is based on.
I am also not concerned about spam, but rather just dont want to expose raw database ids to the public. mike Richard Dahl wrote: > Mike, > I concur with jonknee, the attribute 'hidden' on a form field simply > tells a browser that is following the standards not to display it. > The form field and all of the data within it is still sent via http. > Any script or proxy (i.e. webscarab) or other mechanism such as a > sniffer can get at the information within any http response or request > and view that information. Whether or not the id is sent back as '1' > or '9ghieus78yurhfyjdn' is irrelevant to solving your problem because > a script or bot can just as easily return either. The *accepted* > solution for this is CAPTCHA. > -richard > > > On 5/15/08, Mike Chambers <[EMAIL PROTECTED]> wrote: >> The value is encrypted in the form. The secret key, used to either >> decrypt or hash the value, is on the server, and not in the form. >> >> My application does not have the concept of logged in users. >> >> mike >> >> jonknee wrote: >> >>> How would that help if the "secret" value was in the form already? >>> Bots and what not would see it all the same. If you want to stop spam >>> posts (which is what I'm assuming you're up to) you can limit comments >>> to logged in users, run the data through something like Akismet, use a >>> CAPTCHA, etc. But obfuscating the ID is not going to accomplish much-- >>> if it's available in the HTML that means a bot is going to see it to. >>> >>> You're probably better off just limiting users to X comments per hour >>> or something. > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~----------~----~----~----~------~----~------~--~---
