db.insert will correctly escape any data that's passed to it via
kwargs. The reason that the code there uses **f.d is a little
different. Pretend you had a schema like this:
table users (
name text,
role text,
nickname text
);
...and you wanted to let them update their nickname via a webform,
like this:
nick_form = form.Form(
form.Textbox('nickname'),
form.Button('Submit')
)
If the user inputs their data and submits, you could then call:
db.update('users', **web.input())
This would work. However, if the user figured out your schema somehow
(or just guessed) they could send something like this:
/update?nickname=birdo&role=admin
If you used the raw input, it would update his 'role' to 'admin', and
if that's how your system worked, he just got admin access (not
good!). If you use form.d as the dictionary, you basically get the
web.input() dictionary, but only the keys that are in the nick_form
(in this case, just 'nickname').
Hope that makes sense!
Cheers,
Justin
On Sep 17, 11:00 am, Pyther <[email protected]> wrote:
> On Thu, Sep 17, 2009 at 10:42 AM, miles groman <[email protected]> wrote:
>
> > On Thu, Sep 17, 2009 at 7:03 AM, Pyther <[email protected]> wrote:
>
> >> How can I access the form data in POST?
> >> In the example myform is global.
>
> > urls = ( '/save', 'MyFormProcessor')
>
> > class MyFormProcessor:
> > def POST(self):
> > data = web.input()
> > # do something with data
>
> Cheers! I have other question. How secure is using web.input()? The
> page for form.py states "#don't do web.insert('data_table',
> **web.input()) because malicious data could be submitted too"
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"web.py" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [email protected]
For more options, visit this group at http://groups.google.com/group/webpy?hl=en
-~----------~----~----~----~------~----~------~--~---
