Norman, Thanks for your clarification, however, comments inline... > You check that the hash sent back is correct by (re)hashing the id, duh.
Of course the hash will be correct, the bot will simply return what it recieved. The point is that this does not prevent anyone from being able to submit a form based on the id or hash or encrypted key. A hidden field or hash of a value in a web form does nothing for securty in this (or nearly any other) case. Think about how http works. > > Since only you have the secret part it is computationally difficult for > others to create hashes for arbitrary ids. Granted, but this was never mentioned as the issue. > > One reason to hash id's is that you don't want people / bots whatever > spidering all your data, this can be security(weak) or load related. > How does this work, he has said that his app does not have logged in users. Presumably any web client can do a GET to a relevant URL and view all of the data in the DB. His issue is with people POSTing data to the DB based on the form they GET. > Another is CSRF http://www.djangoproject.com/documentation/csrf/ See my earlier comments for why this may not help in this case. > > A reason to not reveal primary keys is to not let competitors know how > many records you have. > http://www.guardian.co.uk/world/2006/jul/20/secondworldwar.tvandradio Why not just set your sequence number to 500000 before you load data into the db or pre-load the first record with a high PK, and keep the competition guessing as to how many records you have:) -richard On 5/15/08, Norman Harman <[EMAIL PROTECTED]> wrote: > > Richard Dahl wrote: > > Mike, > > I concur with jonknee, the attribute 'hidden' on a form field simply > > tells a browser that is following the standards not to display it. > > The form field and all of the data within it is still sent via http. > > Any script or proxy (i.e. webscarab) or other mechanism such as a > > sniffer can get at the information within any http response or request > > and view that information. Whether or not the id is sent back as '1' > > or '9ghieus78yurhfyjdn' is irrelevant to solving your problem because > > a script or bot can just as easily return either. The *accepted* > > solution for this is CAPTCHA. > > -richard > > You check that the hash sent back is correct by (re)hashing the id, duh. > > Since only you have the secret part it is computationally difficult for > others to create hashes for arbitrary ids. > > One reason to hash id's is that you don't want people / bots whatever > spidering all your data, this can be security(weak) or load related. > > Another is CSRF http://www.djangoproject.com/documentation/csrf/ > > A reason to not reveal primary keys is to not let competitors know how > many records you have. > http://www.guardian.co.uk/world/2006/jul/20/secondworldwar.tvandradio > > > > -- > Norman J. Harman Jr. 512 912-5939 > Technology Solutions Group, Austin American-Statesman > ___________________________________________________________________________ > Get out and about this spring with the Statesman! In print and online, > the Statesman has the area's Best Bets and recreation events. > Pick up your copy today or go to statesman.com 24/7. > > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~----------~----~----~----~------~----~------~--~---
