在Django表单中使用GET [英] Using GET in a Django Form

问题描述

我对Django Forms和GET有疑问

I have a question regarding Django Forms and GET

我有一个表格，可以CSV格式下载学生分数.这些字段是名称和年份，所以我有一个 forms.py

I have a form to download student scores in CSV format. The fields are name and year so I have a forms.py

StudentDownloadForm(forms.Form):
  name=forms.CharField()
  year = forms.CharField()

我想在

context = {'student_form':StudentDownloadForm()，}

<form action ="" method="GET">
  {% csrf_token %}{{ student_form|crispy }}
<input type="submit" value="Query"/>
</form>

所以我的问题如下:

• 如果我使用 method ="GET" ，则csrf令牌在URL中可见，这是一个安全问题
• 然后可以代替使用 method ="POST" 吗?
• 或者，我可以删除表单中的csrf令牌吗?

• If I use the method="GET" then the csrf token is visible in the URL, which is a security issue
• Can I then use the method="POST" instead?
• Alternatively, can I remove the csrf token in the form?

推荐答案

根据Django文档(跨站点请求伪造保护):

According to Django documentation (Cross Site Request Forgery protection):

对于所有未使用HTTP GET，HEAD，OPTIONS的传入请求或TRACE ，则必须存在CSRF cookie和"csrfmiddlewaretoken"该字段必须存在且正确.如果不是，则用户将获得一个403错误.

For all incoming requests that are not using HTTP GET, HEAD, OPTIONS or TRACE, a CSRF cookie must be present, and the ‘csrfmiddlewaretoken’ field must be present and correct. If it isn’t, the user will get a 403 error.

并且:

它故意忽略GET请求(以及其他被RFC 2616定义为安全").这些要求绝不应该有任何要求潜在的危险副作用，因此使用GET进行CSRF攻击要求应该是无害的.RFC 2616将POST，PUT和DELETE定义为不安全"，所有其他方法均假定为不安全，以最大程度地提高安全性保护.

It deliberately ignores GET requests (and other requests that are defined as ‘safe’ by RFC 2616). These requests ought never to have any potentially dangerous side effects , and so a CSRF attack with a GET request ought to be harmless. RFC 2616 defines POST, PUT and DELETE as ‘unsafe’, and all other methods are assumed to be unsafe, for maximum protection.

因此，您可以省略GET请求的CSRF令牌

So, you can omit CSRF token for GET requiests

这篇关于在Django表单中使用GET的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！