args, vars, or session?
5 views
Skip to first unread message
DenesL
Aug 7, 2008, 5:56:12 PM8/7/08
to web2py Web Framework
args, vars, or session?
Is there a general guideline as to which one should be used to pass
data around?.
pros/cons of each one? security considerations? best practices?.
/app/ctl/act/v1
/app/ctl/act?id1=v1
/app/ctl/act with session.id1=v1
would be seemingly equivalent
(the action obtains v1 in different ways in each case obviously)
As a starter:
args pros: no ids before values
args cons: must be received in the same order,
can not be easily secured,
can be faked from the client
vars pros: order is not important,
consistent with traditional CGI
vars cons: reveal the id,
can not be easily secured,
can be faked from the client
session pros: no ids before values,
order is not important,
can be easily secured,
can not be faked (kept server side)
session.cons: ?
Is there a general guideline as to which one should be used to pass
data around?.
pros/cons of each one? security considerations? best practices?.
/app/ctl/act/v1
/app/ctl/act?id1=v1
/app/ctl/act with session.id1=v1
would be seemingly equivalent
(the action obtains v1 in different ways in each case obviously)
As a starter:
args pros: no ids before values
args cons: must be received in the same order,
can not be easily secured,
can be faked from the client
vars pros: order is not important,
consistent with traditional CGI
vars cons: reveal the id,
can not be easily secured,
can be faked from the client
session pros: no ids before values,
order is not important,
can be easily secured,
can not be faked (kept server side)
session.cons: ?
Timbo
Aug 8, 2008, 1:51:21 PM8/8/08
to web2py Web Framework
To add a few things:
args pros: much cleaner urls
session cons: you have to get this data from the client somehow (a
POST is the only non-visible way, short of mind-meld)
=)
args pros: much cleaner urls
session cons: you have to get this data from the client somehow (a
POST is the only non-visible way, short of mind-meld)
=)
mdipierro
Aug 8, 2008, 2:14:35 PM8/8/08
to web2py Web Framework
This is what I try to do but it is not a strict policy:
I use session to store data associated to the user (his name, address,
what he has access to or not), thinks that you ask once but not twice.
I do not to store in session info about what the user is doing now.
I use args for information that is generated by web2py (record ID,
uploaded file name)
I use vars for everything else.
Massimo
I use session to store data associated to the user (his name, address,
what he has access to or not), thinks that you ask once but not twice.
I do not to store in session info about what the user is doing now.
I use args for information that is generated by web2py (record ID,
uploaded file name)
I use vars for everything else.
Massimo
DenesL
Aug 15, 2008, 12:28:22 PM8/15/08
to web2py Web Framework
According to the w3.org in html4:
<form action=URI ...>
<a href=URI ...>
but in my Firefox 2.0.0.16:
<a href="/app/default/show?cid=14">14</a>
works fine but
<form enctype="multipart/form-data" action="/app/default/show?cid=14"
method="link"><input value="Show" type="submit" /></form>
gets truncated to /app/default/show? on submit.
Does somebody know if this normal behavior?.
It would favor using args over vars since this works fine:
<form enctype="multipart/form-data" action="/app/default/show/14"
method="link"><input value="Show" type="submit" /></form>
<form action=URI ...>
<a href=URI ...>
but in my Firefox 2.0.0.16:
<a href="/app/default/show?cid=14">14</a>
works fine but
<form enctype="multipart/form-data" action="/app/default/show?cid=14"
method="link"><input value="Show" type="submit" /></form>
gets truncated to /app/default/show? on submit.
Does somebody know if this normal behavior?.
It would favor using args over vars since this works fine:
<form enctype="multipart/form-data" action="/app/default/show/14"
method="link"><input value="Show" type="submit" /></form>
Timbo
Aug 15, 2008, 12:35:13 PM8/15/08
to web2py Web Framework
I suppose it does that because your browser builds the "?key=value"
part of a URL whenever you submit a form.
Instead of putting cid=14 on the end of your action, you should
include this in your form somewhere:
<input type="hidden" name="cid" value="14" />
part of a URL whenever you submit a form.
Instead of putting cid=14 on the end of your action, you should
include this in your form somewhere:
<input type="hidden" name="cid" value="14" />
DenesL
Aug 15, 2008, 1:23:29 PM8/15/08
to web2py Web Framework
I was focusing too much on the fact that they were both URIs and
forgot how forms work (momentarily).
Thanks Timbo.
forgot how forms work (momentarily).
Thanks Timbo.
Massimo Di Pierro
Aug 15, 2008, 2:12:46 PM8/15/08
to web...@googlegroups.com
Instead of using
FORM(....,action=URL(....,vars=dict(cid=14)))
use
FORM(....,action=URL(....),hidden=dict(cid=14))
works with SQLFORM too and if action is self it it not necessary.
Massimo Di Pierro
Aug 15, 2008, 2:13:54 PM8/15/08
to web...@googlegroups.com
All I can say is that having both GET and POST variables it not
supported by all browsers.
supported by all browsers.
DenesL
Aug 15, 2008, 5:16:07 PM8/15/08
to web2py Web Framework
> FORM(....,action=URL(....),hidden=dict(cid=14))
Nice tip, I haven't seen that before.
I will have to look at the code more often.
Nice tip, I haven't seen that before.
I will have to look at the code more often.
mdipierro
Aug 16, 2008, 11:16:53 AM8/16/08
to web2py Web Framework
I this was so well "hidden" I almost forgot about it too.
I hope I can still revise the manual and add a line about it.
Massimo
I hope I can still revise the manual and add a line about it.
Massimo
Reply all
Reply to author
Forward
0 new messages