html forms, dicts and lists

Duncan Booth duncan at NOSPAMrcp.co.uk
Thu Aug 1 10:56:12 CEST 2002


Paul Rubin <phr-n2002b at NOSPAMnightsong.com> wrote in 
news:7xy9br4an3.fsf at ruckus.brouhaha.com:

> Kai Keliikuli <kai at keliikuli.com> writes:
>> I'm wanting to do more with html forms and their processing
>> than I'm able to using the cgi module, but I've had no luck
>> RTFMing or googling.  I want to interpret the following html
>> form inputs like so
>> 
>> form: <input type="text" name = "d['a']['b']" value="foo">
>> interpreted: d = {'a':{'b':'foo'}}
> 
> Don't do that, for the usual reasons it's bad to use 'eval' or 'exec'.
> Even if you don't do it the obvious way with exec, you'll have to do
> complicated enough filtering to have a big chance of leaving some hole
> where a hostile client can take over your application.
> 
> Just use ordinary form and field names and interpret them in your cgi.

While the above answer is very valid, it is possible to do something 
similar to the original poster's request safely. Zope will take forms such 
as:

<P><H2>Member #1<H2></P><BR>
<P>Please enter your name:<BR>
<INPUT TYPE="text" NAME="member.name:records:ignore_empty" SIZE="30"><BR>
your email:<BR>
<INPUT TYPE="text" NAME="member.email:records:ignore_empty" SIZE="30"><BR>
your age:<BR>
<INPUT TYPE="hidden" NAME="member.age:int:records:default" Value="0"<BR>
<INPUT TYPE="text" NAME="member.age:int:records:ignore_empty"></P><BR>


<P><H2>Member #2</H2></P><BR>
<P>Please enter your name:<BR>
<INPUT TYPE="text" NAME="member.name:records:ignore_empty" SIZE="30"><BR>
your email:<BR>
<INPUT TYPE="text" NAME="member.email:records:ignore_empty" SIZE="30"><BR>
your age:<BR>
<INPUT TYPE="text" NAME="member.age:int:records:ignore_empty"><BR>
</P> 

The above sample (taken from 
http://www.zope.org/Members/Zen/howto/FormVariableTypes) will let the code 
executing in Zope refer to a list of records. e.g. 
   for member in request.form['member']:
       name, email, age = member.name, member.email, member.age

This is especially useful when you want to edit a set of records all in one 
go. You simply make sure each record has a hidden field with the record 
number and the form can be as long as you like.

I'm not suggesting the original poster wants to move to Zope, but although 
their idea is a bit wide of the mark, there are ways to do what they want 
safely.

BTW, it *is* possible to get the above functionality without running all of 
Zope. I recently did some experiments to see how hard it was to extract the 
ZServer component of Zope and it turns out to be pretty straightforward. 
ZServer+ZPublisher+ZLog+a few lines from z2.py gives you a working multi-
threaded lightweight web-server with a nice simple object model including 
the above argument processing. I tried to take it one step further --- I 
wanted a lightweight web server with ZPT, but it looks a bit harder to 
extract a workable ZPT from Zope.

I don't know how hard it would be to extract ZPublisher for CGI, but since 
its predecessor (Bobo) worked that way I think it wouldn't be too hard.

Alternatively the OP could try to find a copy of Bobo.

-- 
Duncan Booth                                             duncan at rcp.co.uk
int month(char *p){return(124864/((p[0]+p[1]-p[2]&0x1f)+1)%12)["\5\x8\3"
"\6\7\xb\1\x9\xa\2\0\4"];} // Who said my code was obscure?



More information about the Python-list mailing list