aha! Good point. This is one of the problems we had to solve when designing web2py.
When web2py creates a form, it stores two hidden fields into it: _formname and _formkey. If a form is submitted it contains _formname. accepts perform validation only in this case. If a field does not pass validation an error message is generated and inserted in the form HTML. _formkey is used only if you pass "session" to accepts. It associates a unique key with the form and it is used to make sure to prevent double submission and associated vulnerability. On Jan 5, 10:14 pm, Christopher Helck <christopher.he...@gmail.com> wrote: > I can not understand form.accepts(). I think it's because my intuitive > understanding of web2py is wrong. Here's how I think it works: > > A simple controller function ( index() say) can return a string in which > case web2py will simply serve it up as a web page. > The same function can return a dictionary, in whcih case web2py takes the > dictionary, finds a corresponding view file, merges them together using > token replacement and serves the resulting string as a web page. > > So, when I see a controller method looking something like: > > def show(): > form = SQLFORM(...) > if form.accepts(request.vars, session): > ... > > I'm reading it as: create a form, and if the user's input (request.vars) is > valid then process the input. My problem is that the form has not been > served up to the user, so how can we have the user's input? > > Obviously I am confused. Any help would be appreciated. > > Regards, > C. Helck
-- You received this message because you are subscribed to the Google Groups "web2py-users" group. To post to this group, send email to web...@googlegroups.com. To unsubscribe from this group, send email to web2py+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/web2py?hl=en.
