security - Django: preventing external query string requests -

-


security - Django: preventing external query string requests -

i've been doing web development few months , maintain having nagging problem. typical pages request content query string contains meaningful info such id in database. illustration link such as: http://www.example.com/posts?id=5

i've been trying think of strategy prevent users manually entering value id without having accessed link--i'd wish acknowledge requests made links presented on website. also, website may not have authentication scheme , allows anonymous browsing; beingness said, info isn't particularly sensitive still don't thought of not beingness able command access information. 1 option, suppose, utilize http post requests these kind of pages -- don't believe user can simulate post request may wrong.

furthermore, user place arbitrary number id , end requesting record doesn't exist in database. of course, validate requested id wasting resources accommodate check.

any thoughts? i'm working django general strategy programming language good. thanks.

first, choosing between , post: user can simulate kind of request, post not help there. when choosing between 2 best decide based on action user taking or how interacting content. getting page or sending info (a form obvious example)? case of retrieving sort of post, appropriate.

also worth noting, right selection if content appropriate bookmarking. serving url based solely on referrer -- say, "prevent users manually entering value id without having accessed link" -- terrible idea. cause innumerable headaches , not nice experience user.

as general principle, avoid relying on primary key of database record. key (id=5 in case) should treated purely auto-increment field prevent record collisions, i.e. guaranteed have unique field records in table. id field backend utility. don't expose users , don't rely on yourself.

if can't utilize id, use? mutual idiom using date of record, slug or both. if dealing posts, utilize published/created date. add together text field hold url friendly , descriptive words. phone call slug , read django's models.slugfield more information. also, see url of article on news site. final url http://www.example.com/posts/2012/01/19/this-is-cool/

now url friendly on eyes, has google-fu seo benefits, bookmark-able , isn't guessable. because aren't relying on back-end database fixed arbitrary id, have freedom to...restore backup db dump, move databases, alter auto-increment number id uuid hash, whatever. database care, not programmer , not users.

oh , don't over-worry user "requesting record doesn't exist" or "validating requested id"...you have anyway. isn't consuming unnecessary resources. how database-backed website works. have connect request data. if request incorrect, 404. webserver non-existent urls , you'll need non-existent data. checkout django's get_object_or_404() ideas/implementation.

django security query-string http-get

Comments

Post a Comment

Popular posts from this blog

How do I check if an insert was successful with MySQLdb in Python? -

-
How do I check if an insert was successful with MySQLdb in Python? - i have code: cursor = conn.cursor() cursor.execute(("insert new_files (videos_id, filename, " "is_processing) values (%s,%s,1)"), (id, filename)) logging.warn("%d", cursor.rowcount) if (cursor.rowcount == 1): logging.info("inserted values %d, %s", id, filename) else: logging.warn("failed insert values %d, %s", id, filename) cursor.close() fun is, cursor.rowcount always one, though updated database create videos_id unique key. is, insert fails because in tests same videos_id going appear (and when check database, nil inserted). whatever reason, rowcount 1 - logging.warn have spits out rowcount of 1. so, question: can utilize rowcount work out if insert went fine? if so, (presumably) doing wrong? otherwise, how check if insert went fine? your code not commit after modifications (your modifications rolled back). should...
Read more

delphi - blogger via idHTTP : error 400 bad request -

-
delphi - blogger via idHTTP : error 400 bad request - i'm trying post blogger using idhttp component, however, i'm getting "http/1.0 400 bad request" error. procedure tform1.button1click(sender: tobject); var request,response,req : tstringlist; auth,blogid : string; begin blogid := '00000000000000000000000'; request := tstringlist.create; response := tstringlist.create; req := tstringlist.create; idhttp1.request.connection := 'keep-alive'; idhttp1.request.contenttype := 'application/x-www-form-urlencoded'; idssliohandlersocket1.ssloptions.method := sslvsslv23; request.clear(); request.values['accounttype'] := 'google'; request.values['email'] := 'xxx@gmail.com'; request.values['passwd'] := 'yyy'; request.values['service'] := 'blogger'; response.text :=idhttp1.post('https://www.google.com/accounts/clientlogin',request); auth := resp...
Read more

postgresql - ERROR: operator is not unique: unknown + unknown -

-
postgresql - ERROR: operator is not unique: unknown + unknown - i have postgis database , have compute new values rows in new column. these values should average of values of several columns. query: insert bdps (da_m) values (avg('da_1'+'da_2'+'da_3'+'da_4'+'da_5'+'da_6'+'da_7')); in query bdps database, da_m new column , da_1 da_7 existing columns have double precision type. da_m created using alter table bdps add together column da_m double precision; i next error: error: operator not unique: unknown + unknown line 2: values (avg('da_1'+'da_2'+'da_3'+'da_4'+'da_5'+'da_6'+'da_7... ^ hint: not take best candidate operator. might need add together explicit type casts. ********** error ********** error: operator not unique: unknown + unknown sql state: 42725 hint: not take best candidate operator. might need add togethe...
Read more