如何将易受攻击的参数从模板传递到 Django 中的视图？

发布于 2024-12-04 07:41:17 字数 785 浏览 0 评论 0原文

我正在创建一个可以创建、编辑或查看地点的应用程序。

当我编辑或查看地点时，我通过 URL 传递“id”字段，例如：

/places/place/1

/places/place/2 ...

当我尝试编辑一个地方时，我会这样做：

place_detail.html

<a href="{% url places_edit_place place.id %}">Edit</a>

'place' var 是一种表单。

url.py

urlpatterns = patterns('',
    url(r'^edit_place/(?P<id_place>\w+)/$',
        views.edit_place,
        name='places_edit_place'),
    )

view.py

def edit_place(request, id_place, template_name='places/edit_place.html'):

我在“id_place”参数中收到地点对象的“id”字段。但是，如果我更改网址中的“id”arg（/places/edit_place/1 到 /places/edit_place/2），则网页将转到第二个要编辑的位置，并且用户可以按照自己的意愿更改此arg。

我如何将这个私有“id”参数从模板发送到视图，而用户看不到它。

原文

I'm creating an app which can create, edit or view a place.

When I edit or view a place, I pass the 'id' field throught the URL, for example:

/places/place/1

/places/place/2
...

When I try to edit a place I do:

place_detail.html

<a href="{% url places_edit_place place.id %}">Edit</a>

The 'place' var is a form.

url.py

urlpatterns = patterns('',
    url(r'^edit_place/(?P<id_place>\w+)/
view.py
def edit_place(request, id_place, template_name='places/edit_place.html'):

I receive the 'id' field of a place object in the 'id_place' arg. But if I change in the url the 'id' arg (/places/edit_place/1 to /places/edit_place/2), the web page go to the second place to be edited and an user could change this arg like he wants.
How I can send this private 'id' arg from a template to a view without the user can't see it.
,
        views.edit_place,
        name='places_edit_place'),
    )

view.py

I receive the 'id' field of a place object in the 'id_place' arg. But if I change in the url the 'id' arg (/places/edit_place/1 to /places/edit_place/2), the web page go to the second place to be edited and an user could change this arg like he wants.

How I can send this private 'id' arg from a template to a view without the user can't see it.

分享到QQ

分享到微博