Richard Dahl wrote: > Mike, > I concur with jonknee, the attribute 'hidden' on a form field simply > tells a browser that is following the standards not to display it. > The form field and all of the data within it is still sent via http. > Any script or proxy (i.e. webscarab) or other mechanism such as a > sniffer can get at the information within any http response or request > and view that information. Whether or not the id is sent back as '1' > or '9ghieus78yurhfyjdn' is irrelevant to solving your problem because > a script or bot can just as easily return either. The *accepted* > solution for this is CAPTCHA. > -richard
You check that the hash sent back is correct by (re)hashing the id, duh. Since only you have the secret part it is computationally difficult for others to create hashes for arbitrary ids. One reason to hash id's is that you don't want people / bots whatever spidering all your data, this can be security(weak) or load related. Another is CSRF http://www.djangoproject.com/documentation/csrf/ A reason to not reveal primary keys is to not let competitors know how many records you have. http://www.guardian.co.uk/world/2006/jul/20/secondworldwar.tvandradio -- Norman J. Harman Jr. 512 912-5939 Technology Solutions Group, Austin American-Statesman ___________________________________________________________________________ Get out and about this spring with the Statesman! In print and online, the Statesman has the area's Best Bets and recreation events. Pick up your copy today or go to statesman.com 24/7. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~----------~----~----~----~------~----~------~--~---
