David.Bear at asu.edu
Fri Jun 9 13:33:11 EDT 2006
Many thanks for all the great comments and suggestions. I do see how passing a pickled in a form object is any less secure then passing the same information in a string. It would be easy to added two items to make it 'unbreakable'. first, after base64 encoding the pickle, I could create an md5sum and put that into a second form elment. Then, I could include one non-pickled item in a third form element. So, it would look something like this. shorthand psuedo code (not python) form1 = [name, address, phone] pickledform1 = base64(pickle(form1)) check = md5sum(pickeldform1) form1 = [pickkledform1, name(from form 1), ,check, additional form fields] Really, the only point of pickling the items from the first form is just to save effort when collecting and handling the form data from the second form. However, if that is the only thing that is gained from doing this.. then its not much. I'm still hesitating using session objects as I don't understand them.. and have read too many things about problems they cause. On Tue, Jun 06, 2006 at 10:45:20PM -0700, Colin Bean wrote: > Hi David, > > I wouldn't consider this method safe at all; a user could easily craft > their own pickled data that does something nasty and edit the source > of the form page to post it to your server. Would it work to store a > user's prior form data in a session? You could still use data from > the first form to generate the second page dynamically. > > -Colin > > On 6/6/06, David Bear <David.Bear at asu.edu> wrote: > >I'm thinking of a simple way to pass form data between different > >forms. For example, if I have page1 with form1 in it, and then for > >page2 dynamically generate the form elements for form2 including data > >from form1, how safe is it to put a python pickle in a form element? > > > >for example, something like > > > ><input type="hidden" name="priordata" value="pythonpicklegoeshere" > > > > >when the form is submitted, I should get a req.form["priordata"] that > >I can de-pickle right? > > > > > >-- > >David Bear > >phone: 480-965-8257 > >fax: 480-965-9189 > >College of Public Programs/ASU > >Wilson Hall 232 > >Tempe, AZ 85287-0803 > > "Beware the IP portfolio, everyone will be suspect of trespassing" > >_______________________________________________ > >Mod_python mailing list > >Mod_python at modpython.org > >http://mailman.modpython.org/mailman/listinfo/mod_python > > -- David Bear phone: 480-965-8257 fax: 480-965-9189 College of Public Programs/ASU Wilson Hall 232 Tempe, AZ 85287-0803 "Beware the IP portfolio, everyone will be suspect of trespassing"