it's the same code.
A call to
http://yoursite/yourapp/controller/function?url=something&id=somethingelse
would not pass validation as SQLFORM is CSRF protected.
If you are sure that that call got a record into the db, something is
really wrong with your application as web2py doesn't allow it out of the
box.
On Monday, January 4, 2016 at 11:04:49 AM UTC+1, Joe wrote:
>
> Thanks very much Niphlod,
>
> So, the special characters in the user input showing up in the table
> records text is basically harmless, right? That's what I though.
>
> Thanks for the correct code. I actually thought the code was:
>
> *form = SQLFORM(db.table).process() *
> *if form.accepted:*
> do something
> elif form.errors:
> #errors this is probably where that call ended
> So, the above is not correct?
>
> BTW: You mean this is where the attempt/call should have ended? It didn't
> end there. The form actually processed the input with the special
> characters. I read the entire input with the html code in it in the
> database table records. It shouldn't have processed it because of the
> special characters? I am probably misunderstanding you. Please kindly let
> me know.
>
> Thanks again.
>
> Cheers,
>
> Joe
>
>
>
> On Monday, January 4, 2016 at 5:38:41 PM UTC+8, Niphlod wrote:
>>
>> any SQLFORM is csrf protected so those kind of attempts resulted in
>> nothing.
>>
>> the "correct code" is
>>
>> form = SQLFORM(db.table)
>> if form.process().accepted:
>> do something
>> elif form.errors:
>> error # this is probably where that call ended
>>
>> return dict(form=form)
>>
>> On Monday, January 4, 2016 at 7:26:56 AM UTC+1, Joe wrote:
>>>
>>> When I create a form do I need to do anything other than just have this
>>> line in the controller:
>>> form = SQLFORM(db.example).process()
>>> and then {{=form}} in the view?
>>> As far as security, this is enough just like that, right?
>>>
>>> The reason I am asking because I just looked through the records in the
>>> database administration and a couple of the records indicated that someone
>>> was trying to hack my site by inserting html.
>>> So if I see something like that in the records, I shouldn't worry, right?
>>>
>>> It was just standard things like:
>>>
>>> *sometext*+*www.mydomain.com <http://www.mydomain.com>*@
>>> *sometext.com
>>> <http://sometext.com>*http://*sometext*.com/?url=*www.mydomain.com
>>> <http://www.mydomain.com>*&id=e318
>>>
>>> I am pretty sure, this attempt didn't work but I would appreciate some
>>> feedback so I can learn more about this issue.
>>>
>>> Thanks very much.
>>>
>>>
>>>
>>>
>>>
>>>
>>>
--
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
---
You received this message because you are subscribed to the Google Groups
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
