[mod_python] psp import issue

maker joe makerjoe at gmail.com
Fri Jun 22 02:50:35 EDT 2007


hi graham

there is a mistake on
locals()["_%s"+%k] = req.form[k]

should be
locals()["_%s"+k] = req.form[k]

kind regards
joseluis

On 6/21/07, Graham Dumpleton <graham.dumpleton at gmail.com> wrote:
> On 22/06/07, maker joe <makerjoe at gmail.com> wrote:
> > sure you convinced me
> >
> > but why not ?
> >     for k in req.form:
> >         exec ("_"+k+"="+"req.form[k]")
> >         print k,_test
>
> Using a prefix is one way of avoiding the problem, but don't use exec
> as there is no need to. Use:
>
>   locals()["_%s"+%k] = req.form[k]
>
> Graham
>
> > On 6/21/07, Graham Dumpleton <graham.dumpleton at gmail.com> wrote:
> > > On 22/06/07, Graham Dumpleton <graham.dumpleton at gmail.com> wrote:
> > > > > and
> > > > > req.form['varx']  by _varx
> > > >
> > > > Don't recommend pushing form fields in local name space as doesn't
> > > > make it as obvious that it is a form field and there would be a
> > > > tendency not to perform checks to make sure the field you are looking
> > > > for actually exists. Also, it will all possibly blow up if someone
> > > > supplied a field you weren't expecting which replaced some important
> > > > data or clashed with a keyword.
> > > >
> > > > If you really must do something like that though, you might adapt the
> > > > following code from mod_python.util.apply_fs_data(). Replace 'fs' with
> > > > req.form and replace args with locals().
> > > >
> > > >     # add form data to args
> > > >     for field in fs.list:
> > > >         if field.filename:
> > > >             val = field
> > > >         else:
> > > >             val = field.value
> > > >         args.setdefault(field.name, []).append(val)
> > > >
> > > >     # replace lists with single values
> > > >     for arg in args:
> > > >         if ((type(args[arg]) is ListType) and
> > > >             (len(args[arg]) == 1)):
> > > >             args[arg] = args[arg][0]
> > >
> > > BTW, if using publisher, a quicker way of doing this would be:
> > >
> > >   def func(req, arg1, args, **args):
> > >     locals().update(args)
> > >     ...
> > >
> > > As I said though, this is dangerous as someone outside your web site
> > > can directly modify data your function uses to execute or cause your
> > > handler to crash in bad ways.
> > >
> > > For example, with publisher function:
> > >
> > >   def index(req, **args):
> > >     locals().update(args)
> > >     req.content_type = 'text/plain'
> > >     return 'mod_python.publisher', req.filename
> > >
> > > If URL of:
> > >
> > >   http://localhost:8002/~grahamd/publisher/index.py?req=xxx
> > >
> > > is used, I get an error saying:
> > >
> > >   AttributeError: 'mp_request' object has no attribute 'append'
> > >
> > > This is because I was able to replace the request object argument with
> > > another value.
> > >
> > > Same problem will occur if using the longer example I showed before.
> > >
> > > Hopefully you will now be convinced this is a bad bad idea.
> > >
> > > Graham
> > >
> >
>


More information about the Mod_python mailing list