RE: [web2py] Re: Potential site trust abuse with default web2py setting?
I think I'd prefer to see the checking for external redirects in the redirect()
function itself.
Perhaps on a redirect() to an external page the user should be taken to a
warning page that they are about to exit the web2py site, and ask them if
they're sure they want to continue.
This could be made bypassable via an extra parameter to redirect, or a site
wide safe list of external redirects.
From: web2py@googlegroups.com [mailto:web...@googlegroups.com] On Behalf Of
Bruno Rocha
Sent: Tuesday, November 23, 2010 1:00 PM
To: web2py@googlegroups.com
Subject: Re: [web2py] Re: Potential site trust abuse with default web2py
setting?
I think this can to be default (security matters), but needs to be configurable.
def avoid_external_next():
if request.controller=='default' and request.function=='user':
if request.vars._next and request.vars._next.startswith('http'):
del request.vars._next
at the models level:
if some_setup_storage.avoid_external_next: avoid_external_next()
than, this will always be default, and executed until the user sets
some_setup_storage.avoid_external_next = False
Or something like this.
2010/11/23 mdipierro mdipie...@cs.depaul.edumailto:mdipie...@cs.depaul.edu
Actually I appreciate you raising this issue and this is a healthy
discussion.
Security issues are very important for everybody here so thank you for
bringing this up.
Although I do not think this is a major issue I agree that it should
be avoided.
One way to void is by adding this in one of your models:
if request.controller=='default' and request.function=='user':
if request.vars._next and request.vars._next.startswith('http'):
del request.vars._next
This will guarantee that only internal URLs can be passed via _next.
Such mechanism could be made default behavior but I need to check that
does not break anything.
What do you think? What do other people think?
Massimo
On Nov 23, 11:45 am, Richard G
richard.ga...@gmail.commailto:richard.ga...@gmail.com wrote:
Sorry, I am not saying that a web2py site is susceptible to CSRF. I
meant that a web2py site could be used 'in the process' to perform a
request that match these criteria on another site.
I find it weird to click on a link that is going to a legitimate
web2py site, and loads this legitimate web2py site, but then redirects
to an external site, only after I authenticate. (Based on using
authentication).
Again, a simple example scenario:
ie: I receive a fraudulent email, asking me to update password.. click
on it (yes.. first mistake), it redirects me to a legitimate web2py
site (I think, maybe the email was not fraudulent?), which on this
web2py site after I perform an action, redirects me to another site.
I agree that a few items have to fall in place for this abuse to
occur. But it still seems that at one point in the process, the user
has placed trust in our site, and then our site redirects them
elsewhere.
If the community believes form submission redirection based on the
forms variables is not a threat to our environment (It doesn't present
a tangible risk to our site, but I see it as posing a risk to our
site's trust, and thus our user's trust) then I'll stop arguing :)
Again, thanks!
On Nov 23, 10:57 am, mdipierro
mdipie...@cs.depaul.edumailto:mdipie...@cs.depaul.edu wrote:
What you suggest is indeed possible but...
This is not an example of CRSF. CRSF is when a malicous site redirects
the user to a site where the user is already authenticated (a web2py
site) and forces the user to perform action (for example submit a
form). web2py prevents this by hiding a formkey in forms.
When you suggest is an example of phishing. For the scam to work the
victim would have to:
1) start from the malicious web site
2) login with a url provided by the malicious web site
3) provide credentials to a clone of the original web site.
If a user falls for 1,2,3 there are much easier ways to implement this
scam even if web2py did not provide the next functionality and without
redirecting at all to the web2py site.
I do not do believe this kind of phishing can be avoided.
We can have a flag that checks whether _next is on a different domain
but it would not prevent this type of scam, just this particular
implementation.
Massimo
On Nov 23, 10:42 am, Richard G
richard.ga...@gmail.commailto:richard.ga...@gmail.com wrote:
Howdy all,
In web2py I've noticed a number of methods in gluon/tools.py that
utilize client input to determine site flow:
if next == DEFAULT:
next = request.get_vars._next \
or request.post_vars._next \
or self.settings.login_next
and subsequent
if next and not next[0] == '/' and next[:4] != 'http':
next = self.url(next.replace('[id]',
str(form.vars.idhttp://form.vars.id)))
redirect(next)
Methods:
AUTH: login , register, retieve_username,
RE: [web2py] Re: plugin model execution order
Hey, Just wanted to say that I also ran into a situation recently where it would have been nice to insert a model before db.py, and I wished it was possible. Would be nice to allow 0_plugin_name folders as well. This communication, including any attachments, does not necessarily represent official policy of Seccuris Inc. Please see http://www.seccuris.com/Contact-PrivacyPolicy.htm for further details about Seccuris Inc.'s Privacy Policy. If you have received this communication in error, please notify Seccuris Inc. at i...@seccuris.com or at 1-866-644-8442.
RE: [web2py] convert python list to javascript array
Sounds like you're looking for response.json
def test():
coords = ((1,2), (3,4), (5,6))
return response.json(coords=coords)
Returns a javascript array formatted like: [[1, 2], [3, 4], [5, 6]]
Or you can use response.json(dict(coords=coords)) to get a javascript object:
{coords: [[1, 2], [3, 4], [5, 6]]}
Note that you also don't have to immediately return the result of
response.json, you can save it and output it in the view, inside a script
tag, for example
-Original Message-
From: web2py@googlegroups.com [mailto:web...@googlegroups.com] On Behalf Of 1904
Sent: Thursday, December 02, 2010 9:12 AM
To: web2py-users
Subject: [web2py] convert python list to javascript array
Hello,
i m totally new to web2py and im trying to use it with google maps api
and javascript to build a map.
So I got some longtiudes and latidues from a MySQL database.
The problem is that I cant convert the Python list [with the lat and
lng values] from the database into a javascript array which is needed.
I build the list with the values in a controller file and return it to
the view file.
Python list: coordinates((1,2) , (3,4) , (5,6))
I tried it on this way:
while(j=len()) //len = length of coordinates
{
var coor[{{=x}}][0] = {{=coordinates[y][0]}};
var coor[{{=x}}][1] = {{=coordinates[y][1]}};
j++;
}
but it is not possible because Y doesnt raise... So the question is
how can I use JS variables and/or Python variables together?
Thanks for help
This communication, including any attachments, does not necessarily represent
official policy of Seccuris Inc.
Please see http://www.seccuris.com/Contact-PrivacyPolicy.htm for further
details about Seccuris Inc.'s Privacy Policy.
If you have received this communication in error, please notify Seccuris Inc.
at i...@seccuris.com or at 1-866-644-8442.
RE: [web2py] Re: Possible BUG: Hidden fields in SQLFORM with custom render template
Works for me.
-Original Message-
From: web2py@googlegroups.com [mailto:web...@googlegroups.com] On Behalf Of
mdipierro
Sent: Thursday, November 25, 2010 10:01 PM
To: web2py-users
Subject: [web2py] Re: Possible BUG: Hidden fields in SQLFORM with custom render
template
I like this. I will give some thought to it and this should be
probably be made the default web2py behavior. Any objection?
On Nov 25, 4:49 pm, Josh Jaques jjaq...@seccuris.com wrote:
Hey guys,
I looked into this a little more.
The problem seems to be that self.custom.begin and self.custom.end are
computed as soon as the form is initialized, and the hidden fields get
appended to self.custom.end only in the call to accepts.
For this same reason, I was also having problems setting a class on a form
with a custom template using code like the following:
form = crud.read(db.table, id)
form[_class] = some class
The class is set after the form is created, and hence never shows up in
self.custom.begin.
I'm using a quick work around by defining the following simple classes:
# lets you add attributes after initialization to forms rendered with custom
templates
class CustomFormBeginner(DIV):
def __init__(self, form):
self.form = form
def xml(self):
(begin, end) = self.form._xml()
return %s %s % (self.form.tag, begin)
# ensures the hidden_field() are present on every form, regardless if accepts
has been called
class CustomFormEnder(DIV):
def __init__(self, form):
self.form = form
def xml(self):
return %s/%s % (self.form.hidden_fields().xml(),
self.form.tag)
And then externally set the form.custom.begin and form.custom.end at creation
time like so:
form = crud.read(db.table, id)
form[_class] = some class
form.custom.begin = CustomFormBeginner(form)
form.custom.end = CustomFormEnder(form)
This seems to solve the problem, and doesn't seem to break anything in the
testing I've done.
Josh Jaques
Intern
From: web2py@googlegroups.com [mailto:web...@googlegroups.com] On Behalf Of
Josh Jaques
Sent: Tuesday, November 23, 2010 10:35 AM
To: web2py@googlegroups.com
Subject: [web2py] Possible BUG: Hidden fields in SQLFORM with custom render
template
Rendering SQLFORMs with a custom template, any hidden fields I create, as
well as the hidden ID field are not displayed in the form until a call to
accepts.
I think this might be a bug because the same form rendered without a custom
template will have the ID and hidden fields without calling accepts.
I tested against latest release.
Thoughts?
Sample controller action:
def index():
form = SQLFORM(db.images, db.images(1),
hidden=dict(test_field=test_value))
accepted_form = SQLFORM(db.images, db.images(1),
hidden=dict(test_field=test_value))
accepted_form.accepts(request.vars, formname=None)
return dict(form=form, accepted_form=accepted_form)
Sample view:
!-- RENDER WITHOUT A TEMPLATE --
{{=form}}
!-- RENDER WITH A TEMPLATE --
{{=form.custom.begin}}
Image name: div{{=form.custom.widget.name}}/div
Image file: div{{=form.custom.widget.file}}/div
Click here to upload: {{=form.custom.submit}}
{{=form.custom.end}}
!-- RENDER WITH TEMPLATE AFTER ACCEPTS --
{{form=accepted_form}}
{{=form.custom.begin}}
Image name: div{{=form.custom.widget.name}}/div
Image file: div{{=form.custom.widget.file}}/div
Click here to upload: {{=form.custom.submit}}
{{=form.custom.end}}
Sample output:
!-- RENDER WITHOUT A TEMPLATE --
form action= enctype=multipart/form-data method=posttabletr
id=images_id__rowtd class=w2p_fllabel for=images_id
id=images_id__labelId: /label/tdtd class=w2p_fwspan
id=images_id1/span/tdtd class=w2p_fc/td/trtr
id=images_name__rowtd class=w2p_fllabel for=images_name
id=images_name__labelName: /label/tdtd class=w2p_fwinput
class=string id=images_name name=name type=text value=a //tdtd
class=w2p_fc/td/trtr id=images_file__rowtd class=w2p_fllabel
for=images_file id=images_file__labelFile: /label/tdtd
class=w2p_fwinput class=upload id=images_file name=file type=file
//tdtd class=w2p_fc/td/trtr id=submit_record__rowtd
class=w2p_fl/tdtd class=w2p_fwinput type=submit value=Submit
//tdtd class=w2p_fc/td/tr/tablediv class=hiddeninput
name=test_field type=hidden value=test_value /input name=id
type=hidden value=1 //div/form
!-- RENDER WITH A TEMPLATE --
form action= enctype=multipart/form-data method=post
Image name: divinput class=string id=images_name name=name
type=text value=a //div
Image file: divinput class=upload id=images_file name=file
type=file //div
Click here to upload: input type=submit value=Submit /
/form
!-- RENDER WITH TEMPLATE AFTER ACCEPTS --
form action= enctype=multipart/form-data method=post
Image name: divinput class=string id=images_name name=name
type=text value= /div class=error id=name__errorenter from 10 to
255 characters/div/div
[web2py] RE: Possible BUG: Hidden fields in SQLFORM with custom render template
Hey guys,
I looked into this a little more.
The problem seems to be that self.custom.begin and self.custom.end are computed
as soon as the form is initialized, and the hidden fields get appended to
self.custom.end only in the call to accepts.
For this same reason, I was also having problems setting a class on a form with
a custom template using code like the following:
form = crud.read(db.table, id)
form[_class] = some class
The class is set after the form is created, and hence never shows up in
self.custom.begin.
I'm using a quick work around by defining the following simple classes:
# lets you add attributes after initialization to forms rendered with custom
templates
class CustomFormBeginner(DIV):
def __init__(self, form):
self.form = form
def xml(self):
(begin, end) = self.form._xml()
return %s %s % (self.form.tag, begin)
# ensures the hidden_field() are present on every form, regardless if accepts
has been called
class CustomFormEnder(DIV):
def __init__(self, form):
self.form = form
def xml(self):
return %s/%s % (self.form.hidden_fields().xml(),
self.form.tag)
And then externally set the form.custom.begin and form.custom.end at creation
time like so:
form = crud.read(db.table, id)
form[_class] = some class
form.custom.begin = CustomFormBeginner(form)
form.custom.end = CustomFormEnder(form)
This seems to solve the problem, and doesn't seem to break anything in the
testing I've done.
Josh Jaques
Intern
From: web2py@googlegroups.com [mailto:web...@googlegroups.com] On Behalf Of
Josh Jaques
Sent: Tuesday, November 23, 2010 10:35 AM
To: web2py@googlegroups.com
Subject: [web2py] Possible BUG: Hidden fields in SQLFORM with custom render
template
Rendering SQLFORMs with a custom template, any hidden fields I create, as well
as the hidden ID field are not displayed in the form until a call to accepts.
I think this might be a bug because the same form rendered without a custom
template will have the ID and hidden fields without calling accepts.
I tested against latest release.
Thoughts?
Sample controller action:
def index():
form = SQLFORM(db.images, db.images(1),
hidden=dict(test_field=test_value))
accepted_form = SQLFORM(db.images, db.images(1),
hidden=dict(test_field=test_value))
accepted_form.accepts(request.vars, formname=None)
return dict(form=form, accepted_form=accepted_form)
Sample view:
!-- RENDER WITHOUT A TEMPLATE --
{{=form}}
!-- RENDER WITH A TEMPLATE --
{{=form.custom.begin}}
Image name: div{{=form.custom.widget.name}}/div
Image file: div{{=form.custom.widget.file}}/div
Click here to upload: {{=form.custom.submit}}
{{=form.custom.end}}
!-- RENDER WITH TEMPLATE AFTER ACCEPTS --
{{form=accepted_form}}
{{=form.custom.begin}}
Image name: div{{=form.custom.widget.name}}/div
Image file: div{{=form.custom.widget.file}}/div
Click here to upload: {{=form.custom.submit}}
{{=form.custom.end}}
Sample output:
!-- RENDER WITHOUT A TEMPLATE --
form action= enctype=multipart/form-data method=posttabletr
id=images_id__rowtd class=w2p_fllabel for=images_id
id=images_id__labelId: /label/tdtd class=w2p_fwspan
id=images_id1/span/tdtd class=w2p_fc/td/trtr
id=images_name__rowtd class=w2p_fllabel for=images_name
id=images_name__labelName: /label/tdtd class=w2p_fwinput
class=string id=images_name name=name type=text value=a //tdtd
class=w2p_fc/td/trtr id=images_file__rowtd class=w2p_fllabel
for=images_file id=images_file__labelFile: /label/tdtd
class=w2p_fwinput class=upload id=images_file name=file type=file
//tdtd class=w2p_fc/td/trtr id=submit_record__rowtd
class=w2p_fl/tdtd class=w2p_fwinput type=submit value=Submit
//tdtd class=w2p_fc/td/tr/tablediv class=hiddeninput
name=test_field type=hidden value=test_value /input name=id
type=hidden value=1 //div/form
!-- RENDER WITH A TEMPLATE --
form action= enctype=multipart/form-data method=post
Image name: divinput class=string id=images_name name=name type=text
value=a //div
Image file: divinput class=upload id=images_file name=file type=file
//div
Click here to upload: input type=submit value=Submit /
/form
!-- RENDER WITH TEMPLATE AFTER ACCEPTS --
form action= enctype=multipart/form-data method=post
Image name: divinput class=string id=images_name name=name type=text
value= /div class=error id=name__errorenter from 10 to 255
characters/div/div
Image file: divinput class=upload id=images_file name=file type=file
//div
Click here to upload: input type=submit value=Submit /
div class=hiddeninput name=test_field type=hidden value=test_value
/input name=id type=hidden value=1 //div/form
This communication, including any attachments, does not necessarily represent
official policy of Seccuris Inc.
Please see http://www.seccuris.com/Contact-PrivacyPolicy.htm for further
details about Seccuris Inc.'s Privacy Policy.
If you have received this communication in error, please notify Seccuris Inc
[web2py] targeted web2py_ajax_init for dynamically inserted forms
If you load a form onto a web2py page via AJAX, it doesn't get the enhancements
from web2py_ajax_init().
I've included a modified web2py_ajax_init that accepts an optional parent
selector to provide some scope to web2py_ajax_init. In this way if you load a
form onto a page, you can call web2py_ajax_init on that specific form to give
it the enhancements, without effecting every other form on the page.
I've included the modified function here as it may be useful to others in the
future.
An alternative approach may be to bind events using jQuery.live(), so that you
don't have to explicitly call web2py_ajax_init() every time you load a form.
function web2py_ajax_init(parent) {
var find = function(selector) {
if (parent)
return $(parent).find(selector);
else
return jQuery(selector);
}
find('.hidden').hide();
find('.error').hide().slideDown('slow');
find('.flash').click(function() { find(this).fadeOut('slow'); return false;
});
// find('input[type=submit]').click(function(){var
t=find(this);t.hide();t.after('input class=submit_disabled
disabled=disabled type=submit name='+t.attr(name)+'_dummy
value='+t.val()+'')});
find('input.integer').keyup(function(){this.value=this.value.reverse().replace(/[^0-9\-]|\-(?=.)/g,'').reverse();});
find('input.double,input.decimal').keyup(function(){this.value=this.value.reverse().replace(/[^0-9\-\.]|[\-](?=.)|[\.](?=[0-9]*[\.])/g,'').reverse();});
find(input[type='checkbox'].delete).each(function(){find(this).click(function()
{ if(this.checked) if(!confirm({{=T('Sure you want to delete this
object?')}})) this.checked=false; });});
try {find(input.date).focus(function() {Calendar.setup({
inputField:this.id, ifFormat:{{=T('%Y-%m-%d')}}, showsTime:false
}); }); } catch(e) {};
try { find(input.datetime).focus( function() {Calendar.setup({
inputField:this.id, ifFormat:{{=T('%Y-%m-%d %H:%M:%S')}}, showsTime:
true,timeFormat: 24
}); }); } catch(e) {};
try { find(input.time).timeEntry(); } catch(e) {};
};
---
This communication, including any attachments, does not necessarily represent
official policy of Seccuris Inc.
Please see http://www.seccuris.com/Contact-PrivacyPolicy.htm for further
details about Seccuris Inc.'s Privacy Policy.
If you have received this communication in error, please notify Seccuris Inc.
at i...@seccuris.com or at 1-866-644-8442.
RE: [web2py] Re: targeted web2py_ajax_init for dynamically inserted forms
Background on jQuery live:
-
The classic way to bind to an event is doing something like:
jQuery(selector).click(function() {
// do some stuff
});
//Note this is just a wrapper to jQuery(...).bind(click, ...);
The issue with that method is that it statically binds the event to whatever
elements match your selector AT THE TIME YOU CALL .click(). So if new elements
are dynamically added to the page using javascript, the event handler won't be
attached to those new elements. jQuery also has the .live function, where
events can be bound as follows:
jQuery(selector).live(click, function() {
// do some stuff
}
Using .live(), the click event is now dynamically attached to all elements that
match selector, regardless of the time they are added to the page.
The issue I was having:
--
So in my example, since web2py initializes its form event handlers with .bind,
when I load a new form onto the page via ajax then it doesn't have any of the
event handlers attached to it. This means the date fields are all static,
delete checkboxes have no confirmation, etc.
What are thoughts on attaching the events using .live() instead. The only
drawback to .live() I can think of is the increase in performance cost required
to support dynamic events.
If you want to make it the new default, I'll submit patch.
-Original Message-
From: web2py@googlegroups.com [mailto:web...@googlegroups.com] On Behalf Of
mdipierro
Sent: Wednesday, November 24, 2010 12:51 PM
To: web2py-users
Subject: [web2py] Re: targeted web2py_ajax_init for dynamically inserted forms
tell us more about jquery live. What do you propose?
On Nov 24, 11:44 am, Josh Jaques jjaq...@seccuris.com wrote:
If you load a form onto a web2py page via AJAX, it doesn't get the
enhancements from web2py_ajax_init().
I've included a modified web2py_ajax_init that accepts an optional parent
selector to provide some scope to web2py_ajax_init. In this way if you load a
form onto a page, you can call web2py_ajax_init on that specific form to give
it the enhancements, without effecting every other form on the page.
I've included the modified function here as it may be useful to others in the
future.
An alternative approach may be to bind events using jQuery.live(), so that
you don't have to explicitly call web2py_ajax_init() every time you load a
form.
function web2py_ajax_ init(parent) {
var find = function(selector) {
if (parent)
return $(parent).find(selector);
else
return jQuery(selector);
}
find('.hidden').hide();
find('.error').hide().slideDown('slow');
find('.flash').click(function() { find(this).fadeOut('slow'); return false;
});
// find('input[type=submit]').click(function(){var
t=find(this);t.hide();t.after('input class=submit_disabled
disabled=disabled type=submit name='+t.attr(name)+'_dummy
value='+t.val()+'')});
find('input.integer').keyup(function(){this.value=this.value.reverse().replace(/[^0-9\-]|\-(?=.)/g,'').reverse();});
find('input.double,input.decimal').keyup(function(){this.value=this.value.reverse().replace(/[^0-9\-\.]|[\-](?=.)|[\.](?=[0-9]*[\.])/g,'').reverse();});
find(input[type='checkbox'].delete).each(function(){find(this).click(function()
{ if(this.checked) if(!confirm({{=T('Sure you want to delete this
object?')}})) this.checked=false; });});
try {find(input.date).focus(function() {Calendar.setup({
inputField:this.id, ifFormat:{{=T('%Y-%m-%d')}}, showsTime:false
}); }); } catch(e) {};
try { find(input.datetime).focus( function() {Calendar.setup({
inputField:this.id, ifFormat:{{=T('%Y-%m-%d %H:%M:%S')}}, showsTime:
true,timeFormat: 24
}); }); } catch(e) {};
try { find(input.time).timeEntry(); } catch(e) {};};
---
This communication, including any attachments, does not necessarily represent
official policy of Seccuris Inc.
Please seehttp://www.seccuris.com/Contact-PrivacyPolicy.htm for further
details about Seccuris Inc.'s Privacy Policy.
If you have received this communication in error, please notify Seccuris Inc.
at i...@seccuris.com or at 1-866-644-8442.
This communication, including any attachments, does not necessarily represent
official policy of Seccuris Inc.
Please see http://www.seccuris.com/Contact-PrivacyPolicy.htm for further
details about Seccuris Inc.'s Privacy Policy.
If you have received this communication in error, please notify Seccuris Inc.
at i...@seccuris.com or at 1-866-644-8442.
[web2py] Possible BUG: Hidden fields in SQLFORM with custom render template
Rendering SQLFORMs with a custom template, any hidden fields I create, as well
as the hidden ID field are not displayed in the form until a call to accepts.
I think this might be a bug because the same form rendered without a custom
template will have the ID and hidden fields without calling accepts.
I tested against latest release.
Thoughts?
Sample controller action:
def index():
form = SQLFORM(db.images, db.images(1),
hidden=dict(test_field=test_value))
accepted_form = SQLFORM(db.images, db.images(1),
hidden=dict(test_field=test_value))
accepted_form.accepts(request.vars, formname=None)
return dict(form=form, accepted_form=accepted_form)
Sample view:
!-- RENDER WITHOUT A TEMPLATE --
{{=form}}
!-- RENDER WITH A TEMPLATE --
{{=form.custom.begin}}
Image name: div{{=form.custom.widget.name}}/div
Image file: div{{=form.custom.widget.file}}/div
Click here to upload: {{=form.custom.submit}}
{{=form.custom.end}}
!-- RENDER WITH TEMPLATE AFTER ACCEPTS --
{{form=accepted_form}}
{{=form.custom.begin}}
Image name: div{{=form.custom.widget.name}}/div
Image file: div{{=form.custom.widget.file}}/div
Click here to upload: {{=form.custom.submit}}
{{=form.custom.end}}
Sample output:
!-- RENDER WITHOUT A TEMPLATE --
form action= enctype=multipart/form-data method=posttabletr
id=images_id__rowtd class=w2p_fllabel for=images_id
id=images_id__labelId: /label/tdtd class=w2p_fwspan
id=images_id1/span/tdtd class=w2p_fc/td/trtr
id=images_name__rowtd class=w2p_fllabel for=images_name
id=images_name__labelName: /label/tdtd class=w2p_fwinput
class=string id=images_name name=name type=text value=a //tdtd
class=w2p_fc/td/trtr id=images_file__rowtd class=w2p_fllabel
for=images_file id=images_file__labelFile: /label/tdtd
class=w2p_fwinput class=upload id=images_file name=file type=file
//tdtd class=w2p_fc/td/trtr id=submit_record__rowtd
class=w2p_fl/tdtd class=w2p_fwinput type=submit value=Submit
//tdtd class=w2p_fc/td/tr/tablediv class=hiddeninput
name=test_field type=hidden value=test_value /input name=id
type=hidden value=1 //div/form
!-- RENDER WITH A TEMPLATE --
form action= enctype=multipart/form-data method=post
Image name: divinput class=string id=images_name name=name type=text
value=a //div
Image file: divinput class=upload id=images_file name=file type=file
//div
Click here to upload: input type=submit value=Submit /
/form
!-- RENDER WITH TEMPLATE AFTER ACCEPTS --
form action= enctype=multipart/form-data method=post
Image name: divinput class=string id=images_name name=name type=text
value= /div class=error id=name__errorenter from 10 to 255
characters/div/div
Image file: divinput class=upload id=images_file name=file type=file
//div
Click here to upload: input type=submit value=Submit /
div class=hiddeninput name=test_field type=hidden value=test_value
/input name=id type=hidden value=1 //div/form
This communication, including any attachments, does not necessarily represent
official policy of Seccuris Inc.
Please see http://www.seccuris.com/Contact-PrivacyPolicy.htm for further
details about Seccuris Inc.'s Privacy Policy.
If you have received this communication in error, please notify Seccuris Inc.
at i...@seccuris.com or at 1-866-644-8442.
[web2py] SQLDB does not allow manual selection of 'sslmode' for PostgreSQL database connections
When using SQLDB to open a connection to a PostgreSQL database, there is currently no way to select the SSL Mode of the connection. Attached is a patch file which allows the sslmode to be optionally selected for non-jdbc Postgres connections via the following URL style: postgres://user:passw...@host:port/database?sslmode=require. The related PostgreSQL documentation page is located here: http://www.postgresql.org/docs/8.4/static/libpq-ssl.html#LIBPQ-SSL-SSLMODE-STATEMENTS. In the documentation you will see that the default value for sslmode is prefer. If the sslmode is not specified, the patch will default to prefer. In this way I believe the patch is backward compatible. Regards, Josh Jaques This communication, including any attachments, does not necessarily represent official policy of Seccuris Inc. Please see http://www.seccuris.com/Contact-PrivacyPolicy.htm for further details about Seccuris Inc.'s Privacy Policy. If you have received this communication in error, please notify Seccuris Inc. at i...@seccuris.com or at 1-866-644-8442. sql.py.POSTGRES_SSL.patch Description: sql.py.POSTGRES_SSL.patch
