Thank you! Yes, I forgot about the csrf. You are right, it would be difficult to fake the CSRF string.
Just in general, is it a good idea to expose primary keys like this? sometimes you can see them in urls too, like: www.yoursite/blog/1/, 1 would be the primary key of a blog. On Wednesday, 27 May 2015 22:01:37 UTC+8, Matthias Müller wrote: > > Without looking at the link I guess that you explantion is more or less > correct. > > But it's not a security issue that the database is updated by a form. It > has to be updated by a form. To make it a correct django form there is a > hidden field with the CSRF token. This protects the database being updated > from any illegal source. > > In your example there is this csrf missing, Most probably for didactical > reasons. > > Refer to https://docs.djangoproject.com/en/1.8/ref/csrf/ > > Cheers > Matthias > > 2015-05-27 15:47 GMT+02:00 Cheng Guo <[email protected] <javascript:>>: > >> Hello, >> >> I have a formset and when I render it, Django would include this line in >> the HTML: >> >> <input id="id_form-0-id" name="form-0-id" type="hidden"> >> >> I am curious what is the purpose of having an id field here. >> >> I mean in what situation would you use it. I did look through Django's >> documentation >> on formset >> <https://docs.djangoproject.com/en/1.8/topics/forms/formsets/#can-delete>but >> cannot find much documentation on this. >> One answer I got is that this id field is the value of the primary key of >> the model bound to this form. It is there so that when the formset updates, >> people can use it to retrieve the corresponding record from the database. >> >> Is the above explaination correct? >> >> If this explaination is correct, then my next question is, wouldn't it be >> dangerous to expose the primary key like that? I can make a post call to >> your server with a modified pk which can mess up your database. >> >> Thank you! >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Django users" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected] <javascript:>. >> To post to this group, send email to [email protected] >> <javascript:>. >> Visit this group at http://groups.google.com/group/django-users. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/django-users/18e0d250-c4a9-4060-ae4f-19afb57566e0%40googlegroups.com >> >> <https://groups.google.com/d/msgid/django-users/18e0d250-c4a9-4060-ae4f-19afb57566e0%40googlegroups.com?utm_medium=email&utm_source=footer> >> . >> For more options, visit https://groups.google.com/d/optout. >> > > -- You received this message because you are subscribed to the Google Groups "Django users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/django-users. To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/285ee494-8b28-42cd-8af9-4cb33983a82c%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
