Not getting all keys in FieldStorage (Multipart form data)

Alan Kennedy alanmk at hotmail.com
Wed Jun 4 15:38:05 CEST 2003


Max M wrote:

> Here you are mixing stuff:
> 
> action="%s/admin/additem.py?bookid=%s&image=yes"
> 
> you should not pass parameters as part of the action. 
> Do it as a hidden field instead.

> I think it is undefined what happens in this case. Most likely the
> browser ignores the parameteres in your action, and just add those from
> the form itself.
> 
> Anyway it isn't legal.

I don't think the specs specify either legality or illegality. On reading the
(supposedly) definitive section of the HTML 4.01 spec on form submission, 

http://www.w3.org/TR/html401/interact/forms.html#submit-format

it says:

"The action attribute may take two values:

 o get: With the HTTP "get" method, the form data set is appended to the URI
specified by the action attribute (with a question-mark ("?") as separator) and
this new URI is sent to the processing agent. 
 o post: With the HTTP "post" method, the form data set is included in the body
of the form and sent to the processing agent."

And later says

"HTML 4 user agents must support the established conventions in the following
cases:

 o If the method is "get" and the action is an HTTP URI, the user agent takes
the value of action, appends a `?' to it, then appends the form data set,
encoded using the "application/x-www-form-urlencoded" content type. The user
agent then traverses the link to this URI. In this scenario, form data are
restricted to ASCII codes. 
 o If the method is "post" and the action is an HTTP URI, the user agent
conducts an HTTP "post" transaction using the value of the action attribute and
a message created according to the content type specified by the enctype
attribute. 

For any other value of action or method, behavior is unspecified."
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

My reading of this is that the OP should do as Max says: don't use query
parameters in the action URI as well as data in the entity body. Although an
argument could be made that the technique is valid, it is not explicitly
mentioned in the HTML spec, and therefore the "behaviour is unspecified".

For example, the recommended action for the "GET" method says "the user agent
takes the value of action, appends a `?' to it...", which implies that there
shouldn't be a "?" there already, as in the OPs code.

The CGI "spec" specifies two different mechanisms for providing access to the
two different types of query data. URI query data, after the "?", should be made
available in the "QUERY_STRING" environment variable, whereas POSTed or PUT form
data should be made available on standard input. There is no specification of
what to do when both forms of data are specified, and therefore no guidance on
what the cgi.py module should do.

http://hoohoo.ncsa.uiuc.edu/cgi/env.html

Best to follow the simple rules stated than try to interpret situations outside
the explicitly stated rules.

HTH,

-- 
alan kennedy
-----------------------------------------------------
check http headers here: http://xhaus.com/headers
email alan:              http://xhaus.com/mailto/alan




More information about the Python-list mailing list