/me forced himself to use 'integer', requires=IS_IN_IN_RANGE(0, None) everytime it's needed. Eventually I edited for some apps also the javascript default function )checking "numeric" fields while they are compiled for pre- validation purposes) not allowing the "-" sign in it.
On 10 Ago, 10:44, guruyaya <[email protected]> wrote: > I had a thoght while developing a small app, about security of the > default validators. > As for now, these are the default validators of numbers in web2py > > integer IS_INT_IN_RANGE(-1e100, 1e100) > double IS_FLOAT_IN_RANGE(-1e100, 1e100) > decimal(n,m) IS_DECIMAL_IN_RANGE(-1e100, 1e100) > > I went over all the times I've made an app, used integer fields, and > asked myself - what if the number was negetive? Most of the time my > answer ranged from - things will work, but it would be really odd - to > - oh my god, an 11 year old girl can hack me. (I'm not talking about > web2py apps only, but earlier PHP projects too). > > My guess, most of us count on web2py validators, and never take a 2nd > thought about "the minus problem". I'm not sure changing web2py > default validators is an option here (because it will mess up backward > compatibility). Yet - this is really a common problem, that I'd love > to know how you handle. > > Thanks
