Update Pure HTML form

[Jeff Riley]

All.  I was going to link this to my "Pure HTML Form" question just not sure how to do that.  As you see in that question I was able to get past my copy paste issue and get the create form to work perfectly.  Thank you all for the extra eyes.

Now I am building the update form and I am getting "user is tampering with form's record_id: None != 1".  I have tried removing the _formkey and setting session=None, but that does not seem to work either.  Have been searching the docs but nothing is slapping me upside the head.

Any ideas?

[Jeff Riley]

Sorry to be a pest but I really do need an answer for this one so I can finish this update form page please.

[Anthony]

Hard to say without seeing any details. You shouldn't be getting that error message unless you have passed in a record or are using a keyed table.

[Anthony]

Also, if you're going to use SQLFORM, you should probably try to follow the documented custom form method rather than using completely custom HTML. At the very least, use form.custom.end to ensure you have the proper hidden fields.

Anthony

[Jeff Riley]

Hey Anthony thank you very much for responding.  I am attaching the code I use for the create form which is working great and the code for the update form which is giving me the grief.  Please let me know if there is more information you might need and I so appreciate all your hep.

[Anthony]

For update forms, web2py includes the record ID as a hidden field and verifies that it matches the original record ID on the server to ensure the user doesn't try to update a different record. You have not included the record ID in your form, so this verification fails.

As noted earlier, please at least use form.custom.end in your custom HTML forms -- otherwise, you miss out on protection from CSRF and record ID tampering. Also, do not set session=None, or you will be open to CSRF attacks.

Anthony

[Jeff Riley]

Anthony thank you so very much. I will make these changes.

Thank you,

Jeff Riley

--
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
---
You received this message because you are subscribed to a topic in the Google Groups "web2py-users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/web2py/DoSgieWkuyk/unsubscribe.
To unsubscribe from this group and all its topics, send an email to web2py+un...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Jeff Riley]

So I need to know who to get the record ID from the database to pass to the update view.  Using the form start and end calls is not working.

On Wednesday, June 15, 2016 at 8:52:22 AM UTC-5, Jeff Riley wrote:

[Anthony]

You are passing a record to SQLFORM for editing - that is the record whose id is needed.

Hard to say what's wrong with the new code without seeing it.

[Jeff Riley]

Anthony.  It was me being a complete idiot.  I had not removed the HTML form tags.  I have attached the code that is working perfectly now.  Thank you so much for have the patience of a Saint.

On Wednesday, June 15, 2016 at 8:52:22 AM UTC-5, Jeff Riley wrote: