Why don't you want to expose raw database ids to the public? -richard
On 5/15/08, Mike Chambers <[EMAIL PROTECTED]> wrote: > > I am not concerned if they can send the hash back. I dont want them to > be able to access the underling value that the hash is based on. > > I am also not concerned about spam, but rather just dont want to expose > raw database ids to the public. > > mike > > Richard Dahl wrote: > > Mike, > > I concur with jonknee, the attribute 'hidden' on a form field simply > > tells a browser that is following the standards not to display it. > > The form field and all of the data within it is still sent via http. > > Any script or proxy (i.e. webscarab) or other mechanism such as a > > sniffer can get at the information within any http response or request > > and view that information. Whether or not the id is sent back as '1' > > or '9ghieus78yurhfyjdn' is irrelevant to solving your problem because > > a script or bot can just as easily return either. The *accepted* > > solution for this is CAPTCHA. > > -richard > > > > > > On 5/15/08, Mike Chambers <[EMAIL PROTECTED]> wrote: > >> The value is encrypted in the form. The secret key, used to either > >> decrypt or hash the value, is on the server, and not in the form. > >> > >> My application does not have the concept of logged in users. > >> > >> mike > >> > >> jonknee wrote: > >> > >>> How would that help if the "secret" value was in the form already? > >>> Bots and what not would see it all the same. If you want to stop spam > >>> posts (which is what I'm assuming you're up to) you can limit comments > >>> to logged in users, run the data through something like Akismet, use a > >>> CAPTCHA, etc. But obfuscating the ID is not going to accomplish much-- > >>> if it's available in the HTML that means a bot is going to see it to. > >>> > >>> You're probably better off just limiting users to X comments per hour > >>> or something. > > > > > > > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~----------~----~----~----~------~----~------~--~---
