def cart_callback():
try:
id = int(request.vars.id)
except:
raise HTTP(400, 'Use an integer')
On Sunday, September 6, 2015 at 1:16:36 AM UTC+2, dirman wrote:
>
>
> am having a security issue with this function
> i sent this ajax request: cart_callback?action=add&id=hacked
>
>
> def cart_callback():
> id = request.vars.id
> if request.vars.action == 'add':
> session.cart[id]=session.cart.get(id,0)+1
> if request.vars.action == 'sub':
> session.cart[id]=max(0,session.cart.get(id,0)-1)
> return str(session.cart[id])
>
> and i got a ticket
>
> even with id=int(request.vars.id)
>
> how do i secure this function so that it accepts only integer on
> request.vars.id
>
--
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
---
You received this message because you are subscribed to the Google Groups
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
