[Zope] assignment to form records

[Dylan Reinhardt]

At 03:29 PM 3/8/2003, Eduardo Bastos wrote:

>for example (record)...
><input type=text name=person.name:record size=30>
>you have a method person and an attribute name.
>
>for example (records)...
><dtml-in "range(item_count)">
>   <input type=text size=30 name="items.desc:records">
>   <input type=text size=15 name="items.item:records">
>   <input type=text size=10 name="items.qty:records">
></dtml-in>

My unsolicited $.02:

You may want to think twice about relying on this for a public-facing 
production system.

The first rule of security for a public web site is to validate *all* 
client input.  That includes posted values, *and* field names.

Depending on the client to post a form without tweaking the field names is 
a pretty trusting position to take, IMO.  If you're going to validate your 
data anyway, what's the point of specifying data types at any point prior 
to validation?

Including meaningful field names in your form just gives you one more 
failure point... it's one more thing you should be validating but most 
likely aren't, or you wouldn't be using it in the first place.

The field name hack is a really neat trick... but it's not something I'd 
advise depending on for anything important that gets public exposure.

FWIW,

Dylan