All that things like :record and :records do (after reading various docs) is pass a variable names items with the following attributes .desc, .item, .qty. What you do with that variable is then up to you. I don't see how using this functionality is in any way a security hole. I would love a an equivalent :object and :objects flag something like this: <dtml-in "range(item_count)"> <input type=text size=30 name="items.desc:objects:Item"> <input type=text size=15 name="items.item:objects:Item"> <input type=text size=10 name="items.qty:objects:Item"> </dtml-in> Where an 'object' (or objects) is created (Python class is instantiated) and getter and setter methods for .desc, .item and .qty get called with the provided values. For instance the above snippet would create a new object called items, which is an instance of class Item. Class Item would have get_desc, get_item, get_qty, set_desc, set_item, set_qty methods. These would then act as classic getter and setter methods. On Sat, 2003-03-08 at 21:56, Dylan Reinhardt wrote:
At 03:29 PM 3/8/2003, Eduardo Bastos wrote:
for example (record)... <input type=text name=person.name:record size=30> you have a method person and an attribute name.
for example (records)... <dtml-in "range(item_count)"> <input type=text size=30 name="items.desc:records"> <input type=text size=15 name="items.item:records"> <input type=text size=10 name="items.qty:records"> </dtml-in>
My unsolicited $.02:
You may want to think twice about relying on this for a public-facing production system.
The first rule of security for a public web site is to validate *all* client input. That includes posted values, *and* field names.
Depending on the client to post a form without tweaking the field names is a pretty trusting position to take, IMO. If you're going to validate your data anyway, what's the point of specifying data types at any point prior to validation?
Including meaningful field names in your form just gives you one more failure point... it's one more thing you should be validating but most likely aren't, or you wouldn't be using it in the first place.
The field name hack is a really neat trick... but it's not something I'd advise depending on for anything important that gets public exposure.
FWIW,
Dylan
_______________________________________________ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev ) -- Edward Muller
Interlix - President Web Hosting - PC Service & Support Custom Programming - Network Service & Support Phone: 417-862-0573 Cell: 417-844-2435 Fax: 417-862-0572 http://www.interlix.com