Yay!! Now I can sleep tonight! So the docs say this about the CSRF middleware: "It may still be possible to use the middleware, provided you can find some way to get the CSRF token and ensure that is included when your form is submitted."
Has anyone found that way, or can anyone point me in the right direction? Or do I need to figure this out myself. Thanks folks! Taylor On Dec 18, 9:08 pm, anb <andrewbadr....@gmail.com> wrote: > > Each of my views use the @login_required decorator, is there anything > > else I need to do to ensure that the user is logged in and active > > (i.e. do I need to check user.is_active)? > > The meaning of is_active is an application decision. It's just a field > on the model, you can do whatever you want with it. > > > As stated above, my data comes through AJAX posts made by jQuery. Is > > this data automatically cleaned against SQL injection? If not, is > > there something in Django that I can call to access its cleaning > > ability? Or do I have to do it myself? > > Whether it comes through AJAX or not doesn't matter. If you use > Django's ORM to do your queries, you're safe from SQL injection. > > > I remember reading that Django Forms (haha, I still want to call them > > newforms.. good times) automatically prevent cross site request > > forgery by including a hidden, random, token. Is there a way that I > > can access this ability for my own prevention? > > Check out the CSRF middleware. You probably want to render a token > into all your pages and have your AJAX requests include it. > > Andrew --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~----------~----~----~----~------~----~------~--~---
