Just in general, is it a good idea to expose primary keys like this? sometimes you can see them in urls too, like: www.yoursite/blog/1/, 1 would be the primary key of a blog.
It's an easy way to refer to an object. Unless there is a secure connection it's this is IMHO the best way to refer to the object.
Of cause you can do it complicated ( with look up tables on the server etc. ) but the result matters.
And I like to keep my life and my apps simple 
2015-05-27 16:05 GMT+02:00 Cheng Guo <cheng.guo@gmail.com>:
Thank you! Yes, I forgot about the csrf. You are right, it would be difficult to fake the CSRF string.--Just in general, is it a good idea to expose primary keys like this? sometimes you can see them in urls too, like: www.yoursite/blog/1/, 1 would be the primary key of a blog.
On Wednesday, 27 May 2015 22:01:37 UTC+8, Matthias Müller wrote:Without looking at the link I guess that you explantion is more or less correct.But it's not a security issue that the database is updated by a form. It has to be updated by a form. To make it a correct django form there is a hidden field with the CSRF token. This protects the database being updated from any illegal source.In your example there is this csrf missing, Most probably for didactical reasons.CheersMatthias2015-05-27 15:47 GMT+02:00 Cheng Guo <chen...@gmail.com>:Hello,--I have a formset and when I render it, Django would include this line in the HTML:
<input id="id_form-0-id" name="form-0-id" type="hidden">I am curious what is the purpose of having an id field here.
I mean in what situation would you use it. I did look through Django's documentation on formsetbut cannot find much documentation on this.
One answer I got is that this id field is the value of the primary key of the model bound to this form. It is there so that when the formset updates, people can use it to retrieve the corresponding record from the database.Is the above explaination correct?If this explaination is correct, then my next question is, wouldn't it be dangerous to expose the primary key like that? I can make a post call to your server with a modified pk which can mess up your database.Thank you!
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-users...@googlegroups.com.
To post to this group, send email to django...@googlegroups.com.
Visit this group at http://groups.google.com/group/django-users.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/18e0d250-c4a9-4060-ae4f-19afb57566e0%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscribe@googlegroups.com.
To post to this group, send email to django-users@googlegroups.com.
Visit this group at http://groups.google.com/group/django-users.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/285ee494-8b28-42cd-8af9-4cb33983a82c%40googlegroups.com.
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscribe@googlegroups.com.
To post to this group, send email to django-users@googlegroups.com.
Visit this group at http://groups.google.com/group/django-users.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/CAA2xsHSSy03DSHaBfT4RNxv4zYJUBTdySLvg__mjMDheSemE4w%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
No comments:
Post a Comment