> > Just in general, is it a good idea to expose primary keys like this? > sometimes you can see them in urls too, like: www.yoursite/blog/1/, 1 > would be the primary key of a blog.
It's an easy way to refer to an object. Unless there is a secure connection it's this is IMHO the best way to refer to the object. Of cause you can do it complicated ( with look up tables on the server etc. ) but the result matters. And I like to keep my life and my apps simple [?] 2015-05-27 16:05 GMT+02:00 Cheng Guo <[email protected]>: > Thank you! Yes, I forgot about the csrf. You are right, it would be > difficult to fake the CSRF string. > > Just in general, is it a good idea to expose primary keys like this? > sometimes you can see them in urls too, like: www.yoursite/blog/1/, 1 > would be the primary key of a blog. > > On Wednesday, 27 May 2015 22:01:37 UTC+8, Matthias Müller wrote: >> >> Without looking at the link I guess that you explantion is more or less >> correct. >> >> But it's not a security issue that the database is updated by a form. It >> has to be updated by a form. To make it a correct django form there is a >> hidden field with the CSRF token. This protects the database being updated >> from any illegal source. >> >> In your example there is this csrf missing, Most probably for didactical >> reasons. >> >> Refer to https://docs.djangoproject.com/en/1.8/ref/csrf/ >> >> Cheers >> Matthias >> >> 2015-05-27 15:47 GMT+02:00 Cheng Guo <[email protected]>: >> >>> Hello, >>> >>> I have a formset and when I render it, Django would include this line in >>> the HTML: >>> >>> <input id="id_form-0-id" name="form-0-id" type="hidden"> >>> >>> I am curious what is the purpose of having an id field here. >>> >>> I mean in what situation would you use it. I did look through Django's >>> documentation >>> on formset >>> <https://docs.djangoproject.com/en/1.8/topics/forms/formsets/#can-delete>but >>> cannot find much documentation on this. >>> One answer I got is that this id field is the value of the primary key >>> of the model bound to this form. It is there so that when the formset >>> updates, people can use it to retrieve the corresponding record from the >>> database. >>> >>> Is the above explaination correct? >>> >>> If this explaination is correct, then my next question is, wouldn't it >>> be dangerous to expose the primary key like that? I can make a post call to >>> your server with a modified pk which can mess up your database. >>> >>> Thank you! >>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "Django users" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> To post to this group, send email to [email protected]. >>> Visit this group at http://groups.google.com/group/django-users. >>> To view this discussion on the web visit >>> https://groups.google.com/d/msgid/django-users/18e0d250-c4a9-4060-ae4f-19afb57566e0%40googlegroups.com >>> <https://groups.google.com/d/msgid/django-users/18e0d250-c4a9-4060-ae4f-19afb57566e0%40googlegroups.com?utm_medium=email&utm_source=footer> >>> . >>> For more options, visit https://groups.google.com/d/optout. >>> >> >> -- > You received this message because you are subscribed to the Google Groups > "Django users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To post to this group, send email to [email protected]. > Visit this group at http://groups.google.com/group/django-users. > To view this discussion on the web visit > https://groups.google.com/d/msgid/django-users/285ee494-8b28-42cd-8af9-4cb33983a82c%40googlegroups.com > <https://groups.google.com/d/msgid/django-users/285ee494-8b28-42cd-8af9-4cb33983a82c%40googlegroups.com?utm_medium=email&utm_source=footer> > . > > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "Django users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/django-users. To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/CAA2xsHSSy03DSHaBfT4RNxv4zYJUBTdySLvg__mjMDheSemE4w%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
