[mod_python] query_vars and form_vars

mod_python user python at theorb.net
Tue Jul 6 15:28:37 EDT 2004

Gregory (Grisha) Trubetskoy wrote:
> This behaviour is part of mod_python.util.FieldStorage class, which is a 
> little convenience tool. Protocol compliance is of little or no 
> relevance here, since you're free not to use it and process input data 
> using your own code or, for example using Python standard library 
> FieldStorage.
> Also, if I remember it correctly, most relevant RFC's tend to focus on 
> the behaviour of the browser (e.g. the user should be warned before a 
> POST if you hit reload, but not for GET), and there is nothing there 
> about how the form variables should appear to an application.
> As to why it processes GET and POST together and GET wins - that's a 
> matter of personal preference. I find it convenient to be able to 
> override variables in a form by appending them to the URL, and I think 
> most user-friendly applications should behave this way, because IMHO 
> ability to tinker with the URL is a good thing.

Thanks to all for their thoughtful responses.

It seems thoroughly broken to me.

If I define query_vars = [('name', [])] and then print(self.name) I am 
looking at the query variable AND the form variable.  Both form_vars and 
query_vars seem to pick up the other's values when the key names are the 
same.  If I'm looking for query info I definitely don't want form data 
supplied to me.

I'm very strongly of the opinion that they should not be intermixed and 
would consider this behavior to be a bug.

Not a rant or flame, just my personal opinion.

Mike Wright

> Some people believe that this should not be allowed because it enables a 
> user to alter hidden POST variables, which would otherwise be difficult, 
> but this seems to me like a silly argument. There are much more certain 
> ways of ensuring that hidden variables have not been modified, e.g. an 
> MD5 or SHA signature passed along.
> Grisha
> On Mon, 5 Jul 2004, Jorey Bump wrote:
>> mod_python user wrote:
>>> Hi all,
>>> I'm new to python and consequently mod_python but have discovered the 
>>> servlet" package, and actually have a small templated webapp up and 
>>> running.  Extremely powerful language.
>>> I would like to be able to retrieve both _form_ and _query_ 
>>> variables, even if they share the same name. e.g.
>>>   <form method='post' action='/?name=NAME_ONE'>
>>>     <input type='hidden' name='name' value='NAME_TWO' />
>>>     <input type='submit' />
>>>   </form>
>>> It seems that when both a GET and POST variable share the same name 
>>> that the GET (query) variable always wins.
>>> Does anybody know how this might be accomplished?
>> I don't know about servlets, but mod_publisher returns a list:
>> I don't know what causes this behaviour. Since only a POST request is 
>> sent, not a GET, I would expect any arguments in the URL to be ignored 
>> and only variables in the message body to be recognized.
>> I'd find out if this follows some kind of standard before relying on 
>> the order the values appear in a list. It could be arbitrary or 
>> undocumented (and therefore unpredictable).
>> _______________________________________________
>> Mod_python mailing list
>> Mod_python at modpython.org
>> http://mailman.modpython.org/mailman/listinfo/mod_python
> _______________________________________________
> Mod_python mailing list
> Mod_python at modpython.org
> http://mailman.modpython.org/mailman/listinfo/mod_python

More information about the Mod_python mailing list