March 5th, 2002, 02:37 AM
You're declaring it as an int on the form itself... since web programs are stateless and since you can fake any request by typing the URL, it'd be too easy to send it with just the name "distance" and the FormProcessor would have no idea to enforce it as an int. Is this a flaw in Zope or is this problem beyond the scope of the tutorial? Just seems so basic that you need to tell FormProcessor which fields to enforce as which type *IN* FormProcessor, not in the HTML form itself.
March 5th, 2002, 07:19 AM
Yeah I spotted that as well - is this a fundamental flaw in the design of Zope?
As far as error messages go the article mentions that you can customise the page - is there a mroe advanced way of handling errors (some kind of exception catching mechanism) to allow you to do something like re-display the form with an asterisk next to the incorrectly filled in field?
March 5th, 2002, 10:37 AM
Re: Re: Flawed?
* Python (hence Zope which is built with Python) has excellent exceptions.
* One could handle types in FormProcessor.
* This site, and many others, use Zope. Give it a shot ... it has a step learning curve but is quite robust and very fast.
March 5th, 2002, 11:07 AM
Re: Re: Re: Flawed?
So Python's exception handling can be easily used within the Zope framework? Excellent.
I've started playing with Zope already and I'm very interested in it as a CMS / Web Framework - but this checking of types via form fields does seem to me to be a badly designed element of Zope. Since it has a complete lack of security any serious developer will have to write type handling code into FormProcessor which would make the type information in the form fields redundant in any case.
March 7th, 2002, 10:40 AM
Re: Re: Re: Re: Flawed?
Yes this approach is flawed in that respect. Any serious checking would have to be done on the server side, its an option use it as you will. Look at Formulator it does server side processing for you.
March 7th, 2002, 01:08 PM
I don't think it's that much of a security hole -- using an unexpected type in Python code will usually only lead to an exception. The user who manipulates the input will get an unfriendly error message, but that's no big deal -- you don't need to provide pretty interfaces for malicious users.<p>
A much more significant flaw is in using "From: <dtml-var email>" in the submission. It's easy enough to submit a value with newlines, and mess with the headers of the email as you wish. You could BCC people with spam, include odd things in the body, include attachments, or whatever. I haven't tested this exploit, but it seems like it should exist. <p>
There really needs to be a validation function on that term before it's called. Altogether, while it's important to show simple and accessible examples, those examples are far short of anything you'd want public -- and unfortunately (for Zope) it seems like public-ready examples are rather complicated. <p>
Maybe with Formulator...
July 26th, 2002, 02:36 PM
I like this article and I need more about the power of Zope !!
Form Processing With Zope
Form Processing With Zope
February 26, 2002 - Ever wondered how to create and process HTML forms in the Zope environment? Relax. It's simpler than you think. Read full article .
Please discuss this article in this thread. You can read the article here .