|
Mike Looijmans
nlv11281 at natlab.research.philips.com
Wed Jun 7 01:35:27 EDT 2006
That would be very, very insecure. Once one knows it's a pickled object, someone can trick Python into doing quite some stuff that you never intended them to do. It's much safer to use a set of hidden fields or something similar and map that to a dictionary (as req.form does already). Mike Looijmans Philips Natlab / Topic Automation David Bear wrote: > I'm thinking of a simple way to pass form data between different > forms. For example, if I have page1 with form1 in it, and then for > page2 dynamically generate the form elements for form2 including data > from form1, how safe is it to put a python pickle in a form element? > > for example, something like > > <input type="hidden" name="priordata" value="pythonpicklegoeshere" > > > when the form is submitted, I should get a req.form["priordata"] that > I can de-pickle right? > >
|