[web2py] Re: SQLFORM security question

2016-01-06 Thread Joe
Thanks very much Massimo, I appreciate your reply. On Tuesday, January 5, 2016 at 9:00:03 PM UTC+8, Massimo Di Pierro wrote: > > form = SQLFORM(db.table) prevents again CSRF but does not limit access. > For that you need to decorate the page with @auth.requires_login() etc. > > Once SQLFORM stor

[web2py] Re: SQLFORM security question

2016-01-05 Thread Massimo Di Pierro
form = SQLFORM(db.table) prevents again CSRF but does not limit access. For that you need to decorate the page with @auth.requires_login() etc. Once SQLFORM stores data in database it is in UTF8. If you extract data from database and you display it in a page in any way other than wrapping in X

[web2py] Re: SQLFORM security question

2016-01-04 Thread Joe
Thanks very much Anthony, I appreciate the detailed explanation. This is what my understanding was as well, but I wasn't 100% sure. In my case, the input was user contact info and some text submitted by the form and kept in the db records and not written back to a web page. But this brings up a

[web2py] Re: SQLFORM security question

2016-01-04 Thread Anthony
By default, SQLFORM protects against cross-site request forgery attacks (via a hidden _formkey field, with a matching formkey value in the session). And the DAL protects against SQL injection when making database inserts. However, at form submission/database-insert time, nothing prevents users

[web2py] Re: SQLFORM security question

2016-01-04 Thread Joe
I the db record text I had this: *sometext*+*www.mydomain.com *@ *sometext.com *http://*sometext*.com/?url=*www.mydomain.com *&id=e318 ..and more similar type of code. The input was long and it looked like a cross site scri

[web2py] Re: SQLFORM security question

2016-01-04 Thread Niphlod
it's the same code. A call to http://yoursite/yourapp/controller/function?url=something&id=somethingelse would not pass validation as SQLFORM is CSRF protected. If you are sure that that call got a record into the db, something is really wrong with your application as web2py doesn't allow it ou

[web2py] Re: SQLFORM security question

2016-01-04 Thread Joe
Thanks very much Niphlod, So, the special characters in the user input showing up in the table records text is basically harmless, right? That's what I though. Thanks for the correct code. I actually thought the code was: *form = SQLFORM(db.table).process() * *if form.accepted:* do somethin

[web2py] Re: SQLFORM security question

2016-01-04 Thread Niphlod
any SQLFORM is csrf protected so those kind of attempts resulted in nothing. the "correct code" is form = SQLFORM(db.table) if form.process().accepted: do something elif form.errors: error # this is probably where that call ended return dict(form=form) On Monday, January 4, 2016 at