[mod_python] passing pickles

Mike Looijmans nlv11281 at natlab.research.philips.com
Wed Jun 7 01:35:27 EDT 2006

That would be very, very insecure. Once one knows it's a pickled object, someone can trick Python 
into doing quite some stuff that you never intended them to do.

It's much safer to use a set of hidden fields or something similar and map that to a dictionary (as 
req.form does already).

Mike Looijmans
Philips Natlab / Topic Automation

David Bear wrote:
> I'm thinking of a simple way to pass form data between different
> forms. For example, if I have page1 with form1 in it, and then for
> page2 dynamically generate the form elements for form2 including data
> from form1, how safe is it to put a python pickle in a form element?
> for example, something like
> <input type="hidden" name="priordata" value="pythonpicklegoeshere" >
> when the form is submitted, I should get a req.form["priordata"] that
> I can de-pickle right?

More information about the Mod_python mailing list