On Oct 25, 1:17 am, Ruiwen Chua <rwc...@gmail.com> wrote: > I see. So form.accept() will not parse any field unless explicitly > defined in SQLFORM? > > (Ok I'm not sure if I should start another thread for this, but a few > issues I found with using SQLFORM.. so perhaps I'm still doing > something wrong.) > > a) I have multiple forms (for the same model) on a page, now generated > using SQLFORM > > However, each generated SQLFORM gives identical id attributes in the > <div>s it generates, and that breaks validation
http://www.web2py.com/book/default/chapter/07#Multiple-forms-per-page > b) I need these forms to post to a different controller from the one > that generated them (via normal post or AJAX) > > What's the best way to get the receiving controller to recognise the > incoming form with the hidden fields, seeing as it was generated in a > different controller? If you have the form object: accpets(request.post_vars,None,formname=None) If you do not just use request.vars and do an db io manually. Using a different controller function breaks validation. > Thanks for the help so far though. > > On Oct 25, 1:15 pm, mdipierro <mdipie...@cs.depaul.edu> wrote: > > > Say you have: > > > db.define_table('user',Field('name'),Field('manager',writable=False,default > > ='no') > > > and a registration form: > > > def register(): > > form=SQLFORM(db.user) > > form.accepts(request.vars) > > > If attackers were allowed to do > > > http://.../register?name=me&manager=yes > > > they would be able to change the manager status even if it does not > > appears in the form. Only fields that are declared as writable and > > visible to SQLFORM can be inserted in the db. > > > web2py has lots of security mechanisms and we are working on even > > more! > > > Massimo > > > On Oct 25, 12:07 am, Ruiwen Chua <rwc...@gmail.com> wrote: > > > > Thanks for the clarification. > > > > Though, in what way is this a security mechanism? > > > > On Oct 25, 1:03 pm, mdipierro <mdipie...@cs.depaul.edu> wrote: > > > > > I understand. That is intended. That is a security mechanism. > > > > You must use SQLFORM(...,hidden=...) > > > > > On Oct 24, 11:46 pm, Ruiwen Chua <rwc...@gmail.com> wrote: > > > > > > Yes, the hidden input values do seem to appear in request.post_vars. > > > > > > I call form.accepts(), like so: form.accepts(request.post_vars, > > > > > formname=None) > > > > > > And even so, only the non-hidden field is saved to the database. > > > > > > On Oct 25, 12:43 pm, mdipierro <mdipie...@cs.depaul.edu> wrote: > > > > > > > The hidden fields will be in request.vars but not in form.vars > > > > > > because > > > > > > accepts does not know they are supposed to be there and protects you > > > > > > from injection attacks. > > > > > > > You can also try use this: > > > > > > > form=SQLFORM(....,hidden=dict(key='value')) > > > > > > > Massimo > > > > > > > On Oct 24, 11:39 pm, Ruiwen Chua <rwc...@gmail.com> wrote: > > > > > > > > Apologies, I wasn't clear. I meant that the form in the view is > > > > > > > static > > > > > > > HTML and not generated by SQLFORM. > > > > > > > > However, in the action that receives the POST, I instantiate a new > > > > > > > SQLFORM for that model and pass request.post_vars to it. > > > > > > > > On Oct 25, 12:30 pm, mdipierro <mdipie...@cs.depaul.edu> wrote: > > > > > > > > > if you use > > > > > > > > > form.accepts() > > > > > > > > > what is form if you do not use FORM or SQLFORM? > > > > > > > > > On Oct 24, 11:27 pm, Ruiwen Chua <rwc...@gmail.com> wrote: > > > > > > > > > > Hi all, > > > > > > > > > > I have created a manual HTML form (not FORM() or SQLFORM()) > > > > > > > > > that has a > > > > > > > > > few hidden fields (ie. <input type="hidden">..) > > > > > > > > > > When this form posts back to the controller, form.accepts() > > > > > > > > > returns > > > > > > > > > True, but only the non-hidden field (there is only one, the > > > > > > > > > rest are > > > > > > > > > hidden) is saved to the database. The other fields all get > > > > > > > > > saved as > > > > > > > > > NULL. > > > > > > > > > > Is there something I'm missing? > > > > > > > > > > Thanks > >
