I'm writing a goal tracking application. I'd like to write the goal entity key into a form like this:
<form action="/complete/<entity_key>" method="post"> However, I don't want a malicious user to be able to guess someone else's ID and complete their goal for them. My first thought on getting around this is to combine the goal entity key with something else (maybe the user's entity key), create a hash, and write them both into the URL like this: <form action="/complete/<entity_key>/<combo_hash>" method="post"> I can then rehash upon submit and confirm that the URL was generated by my app and the key is valid. 1) is there a better way to approach this problem? 2) if this is a good way to proceed, what is a good hash to apply here (url friendly, reasonably fast)? Using Python. Thanks for any suggestions, Matt -- You received this message because you are subscribed to the Google Groups "Google App Engine" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en.
