For update forms, web2py includes the record ID as a hidden field and verifies that it matches the original record ID on the server to ensure the user doesn't try to update a different record. You have not included the record ID in your form, so this verification fails.
As noted earlier, please at least use form.custom.end in your custom HTML forms -- otherwise, you miss out on protection from CSRF and record ID tampering. Also, do not set session=None, or you will be open to CSRF attacks. Anthony On Thursday, June 16, 2016 at 5:57:26 AM UTC-4, Jeff Riley wrote: > > Hey Anthony thank you very much for responding. I am attaching the code I > use for the create form which is working great and the code for the update > form which is giving me the grief. Please let me know if there is more > information you might need and I so appreciate all your hep. > > On Wednesday, June 15, 2016 at 8:52:22 AM UTC-5, Jeff Riley wrote: >> >> All. I was going to link this to my "Pure HTML Form" question just not >> sure how to do that. As you see in that question I was able to get past my >> copy paste issue and get the create form to work perfectly. Thank you all >> for the extra eyes. >> >> Now I am building the update form and I am getting "user is tampering >> with form's record_id: None != 1". I have tried removing the _formkey and >> setting session=None, but that does not seem to work either. Have been >> searching the docs but nothing is slapping me upside the head. >> >> Any ideas? >> > -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
