Mike, I concur with jonknee, the attribute 'hidden' on a form field simply tells a browser that is following the standards not to display it. The form field and all of the data within it is still sent via http. Any script or proxy (i.e. webscarab) or other mechanism such as a sniffer can get at the information within any http response or request and view that information. Whether or not the id is sent back as '1' or '9ghieus78yurhfyjdn' is irrelevant to solving your problem because a script or bot can just as easily return either. The *accepted* solution for this is CAPTCHA. -richard
On 5/15/08, Mike Chambers <[EMAIL PROTECTED]> wrote: > > The value is encrypted in the form. The secret key, used to either > decrypt or hash the value, is on the server, and not in the form. > > My application does not have the concept of logged in users. > > mike > > jonknee wrote: > > > > > How would that help if the "secret" value was in the form already? > > Bots and what not would see it all the same. If you want to stop spam > > posts (which is what I'm assuming you're up to) you can limit comments > > to logged in users, run the data through something like Akismet, use a > > CAPTCHA, etc. But obfuscating the ID is not going to accomplish much-- > > if it's available in the HTML that means a bot is going to see it to. > > > > You're probably better off just limiting users to X comments per hour > > or something. > > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~----------~----~----~----~------~----~------~--~---
