durusmail: quixote-users: Checking if a form value came from POST or GET
Checking if a form value came from POST or GET
2003-10-13
Simon Willison
2003-10-13
Neil Schemenauer
2003-10-13
Simon Willison
2003-10-13
amk@amk.ca
2003-10-14
Simon Willison
2003-10-14
Neil Schemenauer
2003-10-14
Anton Benard
Building scgi - lots of errors
2003-10-16
T. Egbert
2003-10-16
Michael Watkins
2003-10-17
Jon Dyte
2003-10-22
T. Egbert
2003-10-22
Neil Schemenauer
2003-10-22
T. Egbert
2003-10-14
Neil Schemenauer
2003-10-14
Martin Maney
Checking if a form value came from POST or GET
Neil Schemenauer
2003-10-13
On Mon, Oct 13, 2003 at 11:37:57PM +0100, Simon Willison wrote:
> There doesn't currently appear to be a way of checking if data submitted
> to Quixote from a form was sent by POST or GET.

Version 0.7a1 has HTTPRequest.get_method().  With older versions you
can use request.get_environ('REQUEST_METHOD').

> 1. By differentiating between the two the same 'key' can be used twice.
> For example, a form submiting to a page called 'forms?id=1' can itself
> include an id attribute in the POST data without over-riding the id in
> the URL

I agree that Quixote's HTTPRequest merging of POST and GET variables
is a little impure.  OTOH, I'm not too keen on the idea of using the
same name twice.

> 2. My rule of thumb is "only modify data on a POST" - that way there's
> no chance of someone bookmarking a URL that updates a database (for
> example).
>
> 3. It is useful to be able to detect if a form has been submitted or
> not. In PHP, I frequently check for POSTed data and display a form if
> none is available, assume the form has been submitted if there is.

You could use this helper:

    def posted(request):
        """Return true if the request is a POST and there is form
        data."""
        return  (request.form and
                 request.get_environ('REQUEST_METHOD') == 'POST')

> 4. Security. While ensuring data has come from POST rather than GET
> provides no security against a serious intruder, it does discourage
> amateurs from "hacking the URL" to see if they can cause any damage.
> Security through obscurity admitedly, but it adds a bit of extra peace
> of mind.

I would be nervous if people could do damage by hacking the form
variables.  That bit of obscurity wouldn't help me sleep.

POST does look neater if you have a lot of variables.  We use it for
almost all of our forms.  We don't care if someone wants to hack the
form and make it a GET.

> Are there any plans to add this capability in a future release of
> Quixote?

I'm not sure exactly what you want.  If you want POST and GET
variables to be stored separately then I don't think it will happen.
I suppose HTTPRequest could have 'post_form' and 'get_form' and have
'form' be the union of the two.

"request.get_method() == 'POST'" seems clear enough for testing what
HTTP method was used.  Are you looking for something else?

  Neil
reply