On Mon, Oct 13, 2003 at 11:37:57PM +0100, Simon Willison wrote: > There doesn't currently appear to be a way of checking if data submitted > to Quixote from a form was sent by POST or GET. Version 0.7a1 has HTTPRequest.get_method(). With older versions you can use request.get_environ('REQUEST_METHOD'). > 1. By differentiating between the two the same 'key' can be used twice. > For example, a form submiting to a page called 'forms?id=1' can itself > include an id attribute in the POST data without over-riding the id in > the URL I agree that Quixote's HTTPRequest merging of POST and GET variables is a little impure. OTOH, I'm not too keen on the idea of using the same name twice. > 2. My rule of thumb is "only modify data on a POST" - that way there's > no chance of someone bookmarking a URL that updates a database (for > example). > > 3. It is useful to be able to detect if a form has been submitted or > not. In PHP, I frequently check for POSTed data and display a form if > none is available, assume the form has been submitted if there is. You could use this helper: def posted(request): """Return true if the request is a POST and there is form data.""" return (request.form and request.get_environ('REQUEST_METHOD') == 'POST') > 4. Security. While ensuring data has come from POST rather than GET > provides no security against a serious intruder, it does discourage > amateurs from "hacking the URL" to see if they can cause any damage. > Security through obscurity admitedly, but it adds a bit of extra peace > of mind. I would be nervous if people could do damage by hacking the form variables. That bit of obscurity wouldn't help me sleep. POST does look neater if you have a lot of variables. We use it for almost all of our forms. We don't care if someone wants to hack the form and make it a GET. > Are there any plans to add this capability in a future release of > Quixote? I'm not sure exactly what you want. If you want POST and GET variables to be stored separately then I don't think it will happen. I suppose HTTPRequest could have 'post_form' and 'get_form' and have 'form' be the union of the two. "request.get_method() == 'POST'" seems clear enough for testing what HTTP method was used. Are you looking for something else? Neil