缺点

• 正如您已经注意到的，这些可以由用户自由修改


• 将这些添加到每个URL是一个巨大的痛苦

POST表单（您当前的方法）

优点

• 一点隐藏（没有用户可见没有某种浏览器扩展）


• 稍微更难操纵（尽管不要依赖于这种安全隐私）


• 清洁网址

缺点

• 导致互联网上的此页面已过期资源管理器，如果您使用浏览器的返回按钮...


• ...和您确定要重新发送此数据消息在大多数浏览器上，如果用户尝试重新加载您的任何网页


• 如果用户重新打开页面（例如在URL栏中按返回），则所有这些状态信息将丢失。


• 用户无法共享他们正在查看的确切页面;内容部分由非用户可见信息确定


• 向每个导航操作添加 POST 数据是一个巨大的痛苦。

My question involves passing variables from the template to view in Django.

I know of passing variables in the URL and through a form. The problem I have with the first one is that the url could be manipulated which is not what I want. Is there anyway to prevent that?

Right now this is what I have as a band-aid:

<form action="/match/" method="post">
{% csrf_token %}

<input type="hidden" name="name1" value="{{ male_results }}">
<input type="hidden" name="userid1" value="{{ male_pic_userid }}">

<input type="hidden" name="name2" value="{{ female_results }}">
<input type="hidden" name="userid2" value="{{ female_pic_userid }}">

<input type="submit" value="Submit" />
</form>

Is there a way to avoid having to use this? Thank you!

There are broadly 3 ways to hold onto this kind of information:

Session (my suggestion for your situation)

Just stuff the data you want into the request.session dictionary; it'll persist per-user, and you can access it easily:

# view1
request.session['name1'] = male_results
request.session['userid1'] = male_pic_userid

# view2 (or elsewhere in view1)
male_results = request.session.get('name1')
male_pic_userid = request.session.get('userid1')

Advantages

• No changes needed to your templates (except removing your now-unnecessary forms).
• Clean URLs
• Persists even through closing and re-opening the browser window
• You don't need to worry about users modifying or even seeing the session data (it's way more secure)

Disadvantages

• As with POST, page content is dictated by the URL and session data — URLs are no longer unique, and users can't share a particular page that relies on session info

Query parameters

Something like /match/?name1=foo1&userid1&name2=bar&userid2=2. You can either add these manually (<a href='/match/?name1={{ male_results }}...) or by changing your POST form to GET.

Advantages

• These URLs can be shared and bookmarked; if it's a list with filtering options, this is probably desirable ("Here's the list of cars I like" posted to Facebook, etc.)

Disadvantages

• As you've already noted, these can be freely modified by the user
• Adding these to every URL is a massive pain

POST form (your current approach)

Advantages

• A little more hidden (nothing user-visible without some kind of browser extension)
• Slightly harder to manipulate (though don't rely on this security-through-obscurity)
• Cleaner URLs

Disdvantages

• Leads to "this page has expired" messages on Internet Explorer if you use your browser's "back" button ...
• ... and "Are you sure you want to re-send this data" messages on most browsers if users try to reload any of your pages
• All this state information will be lost if a user re-opens the page (pressing "return" in the URL bar, for instance)
• Users can't share the exact page they're looking at; the content is partly determined by non-user-visible information
• Adding POST data to every navigation action is a huge pain.

这篇关于在Django中将变量从Template转换为View的更有效的方法是什么？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！