Say you have:
db.define_table('user',Field('name'),Field('manager',writable=False,default='no')
and a registration form:
def register():
form=SQLFORM(db.user)
form.accepts(request.vars)
If attackers were allowed to do
http://.../register?name=me&manager=yes
they would be able to change the manager status even if it does not
appears in the form. Only fields that are declared as writable and
visible to SQLFORM can be inserted in the db.
web2py has lots of security mechanisms and we are working on even
more!
Massimo
On Oct 25, 12:07 am, Ruiwen Chua <[email protected]> wrote:
> Thanks for the clarification.
>
> Though, in what way is this a security mechanism?
>
> On Oct 25, 1:03 pm, mdipierro <[email protected]> wrote:
>
> > I understand. That is intended. That is a security mechanism.
> > You must use SQLFORM(...,hidden=...)
>
> > On Oct 24, 11:46 pm, Ruiwen Chua <[email protected]> wrote:
>
> > > Yes, the hidden input values do seem to appear in request.post_vars.
>
> > > I call form.accepts(), like so: form.accepts(request.post_vars,
> > > formname=None)
>
> > > And even so, only the non-hidden field is saved to the database.
>
> > > On Oct 25, 12:43 pm, mdipierro <[email protected]> wrote:
>
> > > > The hidden fields will be in request.vars but not in form.vars because
> > > > accepts does not know they are supposed to be there and protects you
> > > > from injection attacks.
>
> > > > You can also try use this:
>
> > > > form=SQLFORM(....,hidden=dict(key='value'))
>
> > > > Massimo
>
> > > > On Oct 24, 11:39 pm, Ruiwen Chua <[email protected]> wrote:
>
> > > > > Apologies, I wasn't clear. I meant that the form in the view is static
> > > > > HTML and not generated by SQLFORM.
>
> > > > > However, in the action that receives the POST, I instantiate a new
> > > > > SQLFORM for that model and pass request.post_vars to it.
>
> > > > > On Oct 25, 12:30 pm, mdipierro <[email protected]> wrote:
>
> > > > > > if you use
>
> > > > > > form.accepts()
>
> > > > > > what is form if you do not use FORM or SQLFORM?
>
> > > > > > On Oct 24, 11:27 pm, Ruiwen Chua <[email protected]> wrote:
>
> > > > > > > Hi all,
>
> > > > > > > I have created a manual HTML form (not FORM() or SQLFORM()) that
> > > > > > > has a
> > > > > > > few hidden fields (ie. <input type="hidden">..)
>
> > > > > > > When this form posts back to the controller, form.accepts()
> > > > > > > returns
> > > > > > > True, but only the non-hidden field (there is only one, the rest
> > > > > > > are
> > > > > > > hidden) is saved to the database. The other fields all get saved
> > > > > > > as
> > > > > > > NULL.
>
> > > > > > > Is there something I'm missing?
>
> > > > > > > Thanks
>
>
