> Each of my views use the @login_required decorator, is there anything > else I need to do to ensure that the user is logged in and active > (i.e. do I need to check user.is_active)?
The meaning of is_active is an application decision. It's just a field on the model, you can do whatever you want with it. > As stated above, my data comes through AJAX posts made by jQuery. Is > this data automatically cleaned against SQL injection? If not, is > there something in Django that I can call to access its cleaning > ability? Or do I have to do it myself? Whether it comes through AJAX or not doesn't matter. If you use Django's ORM to do your queries, you're safe from SQL injection. > I remember reading that Django Forms (haha, I still want to call them > newforms.. good times) automatically prevent cross site request > forgery by including a hidden, random, token. Is there a way that I > can access this ability for my own prevention? Check out the CSRF middleware. You probably want to render a token into all your pages and have your AJAX requests include it. Andrew --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~----------~----~----~----~------~----~------~--~---
