Wow! Simon, thanks for the very specific code - I was having difficulty
with pickle and your sample code brought everything together so perfectly.
A big thanks to you!
-Warren
----- Original Message -----
From: "Simon Willison" <[EMAIL PROTECTED]>
To: "Django users" <django-users@googlegroups.com>
Sent: Monday, April 23, 2007 7:57 PM
Subject: Re: Newforms and Hidden Fields - verifying POST data
>
> On Apr 23, 5:04 pm, Tipan <[EMAIL PROTECTED]> wrote:
>> I'm seeking advice on how to ensure my form data in hidden fields is
>> the same after the user has posted the form.
>
> Sign it. The easiest way to do this would be something like this:
>
> 1. Throw all of the data you want to persist in a pickle, then base64
> it for good measure:
>
> pickled = pickle.dumps(my_data).encode('base64')
>
> 2. Use your secret key to calculate an MD5 signature:
>
> signature = md5.new(SECRET_KEY + pickled).hexdigest()
>
> 3. Serve up the pickled data AND the signature as hidden fields.
>
> Then when the user submits the form again, you can check that they
> haven't tampered with the data by doing this:
>
> pickled = request.POST.get('pickled', '')
> signature = request.POST.get('signature', '')
>
> if pickled:
> if signature != md5.new(SECRET_KEY + pickled).hexdigest():
> raise NastyError, "You tampered with my data!"
> else:
> my_data = pickle.loads(pickled.decode('base64'))
>
> The same technique can be used in lots of other places - cookies for
> example. The only way the user can tamper with the data you have sent
> them is if they know your SECRET_KEY.
>
> Hope that helps,
>
> Simon Willison
>
>
>
> >
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Django users" group.
To post to this group, send email to django-users@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/django-users?hl=en
-~----------~----~----~----~------~----~------~--~---
