问题
I pass some parameters to django by a POST request. How can I validate if a parameter is an integer, a String and also that there is no unsecure stuff like code injection inside? Is there a django function I can use?
For example:
if request.method == 'POST':
print request.POST.get('user_comment')
How can I check if the POST parameter contains a non dangerous String for my system? Something like
request.POST.get('user_comment').is_valid()
Thanks.
回答1:
For checking if POST data is safe, have correct type etc you can use forms in django. For example if you're expecting 3 required parameters, one string and 2 integers, you can create form:
from django import forms
class MyValidationForm(forms.Form):
first = forms.CharField()
second = forms.IntegerField()
third = forms.IntegerField()
And using it in view:
if request.method == 'POST':
form = MyValidationForm(request.POST, request.FILES)
if not form.is_valid():
# print some error here
else:
# do whatever you like
For filtering if string doesn't contain something dangerous, there is no general solution. There are different threats for databases, XSS etc so there is no way to filter it all.
回答2:
If you are using Django REST Framework then you can do something like following inside your view.
from rest_framework import status
from rest_framework.views import APIView
class MyView(APIView):
def post(self , request):
serializer = MySerializer(data = request.data)
if serializer.is_valid():
serializer.save()
return Response({"status" : "Success"} , status = status.HTTP_201_CREATED)
If you are not using DRF the do have a look at serializers.py to see how is_valid() is implemented. Basically, it calls run_validators() function of django.db.models.fields. Hope this helps!
回答3:
You can consider using cleaned_ before your field to put validations on it. For instance if you want to check the username, and u have a model defined for it like,
class MyModel(models.Model):
username = model.CharField(max_length = 255)
then for the same you have a form like under
class MyForm(forms.ModelForm):
class Meta:
model = MyModel
fields = ['username']
def clean_username(self):
username = self.cleaned_data.get('username')
""" this will give you the actual username from the field
Now you may get that validated
"""
if username == "blah blah":
return forms.ValidationError("This isnt any name!")
else:
return username
This is per the django documentation which says:
"The clean() method on a Field subclass is responsible for running to_python(), validate(), and run_validators() in the correct order and propagating their errors. If, at any time, any of the methods raise ValidationError, the validation stops and that error is raised. This method returns the clean data, which is then inserted into the cleaned_data dictionary of the form.
The clean_() method is called on a form subclass – where is replaced with the name of the form field attribute. This method does any cleaning that is specific to that particular attribute, unrelated to the type of field that it is. This method is not passed any parameters. You will need to look up the value of the field in self.cleaned_data and remember that it will be a Python object at this point, not the original string submitted in the form (it will be in cleaned_data because the general field clean() method, above, has already cleaned the data once)."
回答4:
the easiest way is to create a form:
from django import forms
class SingleForm(forms.Form):
user_comment = forms.CharField(max_length=100)
then
comment = SingleForm(request.POST or None)
if comment.is_valid():
# here everything is cleaned and safe
or you want to do it without a form?
回答5:
Regarding code injection, you can use bleach to sanitize user input:
>>> import bleach
>>> bleach.clean('an <script>evil()</script> example')
u'an <script>evil()</script> example'
You can find more information about security on the official Django documentation:
- Security in Django
- strip_tags
- remove_tags
来源:https://stackoverflow.com/questions/33829305/django-how-to-validate-post-parameters