[Fixed]-Django how to validate POST Parameters

by

20👍

For checking if POST data is safe, have correct type etc you can use forms in django. For example if you’re expecting 3 required parameters, one string and 2 integers, you can create form:

from django import forms

class MyValidationForm(forms.Form):
    first = forms.CharField()
    second = forms.IntegerField()
    third = forms.IntegerField()

And using it in view:

if request.method == 'POST':
    form = MyValidationForm(request.POST, request.FILES)
    if not form.is_valid():
        # print some error here
    else:
        # do whatever you like

For filtering if string doesn’t contain something dangerous, there is no general solution. There are different threats for databases, XSS etc so there is no way to filter it all.

👤GwynBleidD

9👍

If you are using Django REST Framework then you can do something like following inside your view.

from rest_framework import status
from rest_framework.views import APIView

class MyView(APIView):
  def post(self , request):
    serializer = MySerializer(data = request.data)
    if serializer.is_valid():
      serializer.save()
      return Response({"status" : "Success"} , status = status.HTTP_201_CREATED)

If you are not using DRF the do have a look at serializers.py to see how is_valid() is implemented. Basically, it calls run_validators() function of django.db.models.fields. Hope this helps!

👤Muhammad Fahad Manzoor

4👍

You can consider using cleaned_ before your field to put validations on it.
For instance if you want to check the username, and u have a model defined for it like,

class MyModel(models.Model):
    username = model.CharField(max_length = 255)

then for the same you have a form like under

class MyForm(forms.ModelForm):
    class Meta:
        model = MyModel
        fields = ['username']

    def clean_username(self):
        username = self.cleaned_data.get('username')
        """ this will give you the actual username from the field
            Now you may get that validated
        """
        if username == "blah blah":
            return forms.ValidationError("This isnt any name!")
        else:
            return username

This is per the django documentation which says:

“The clean() method on a Field subclass is responsible for running to_python(), validate(), and run_validators() in the correct order and propagating their errors. If, at any time, any of the methods raise ValidationError, the validation stops and that error is raised. This method returns the clean data, which is then inserted into the cleaned_data dictionary of the form.

The clean_() method is called on a form subclass – where is replaced with the name of the form field attribute. This method does any cleaning that is specific to that particular attribute, unrelated to the type of field that it is. This method is not passed any parameters. You will need to look up the value of the field in self.cleaned_data and remember that it will be a Python object at this point, not the original string submitted in the form (it will be in cleaned_data because the general field clean() method, above, has already cleaned the data once).”

👤Rahul

2👍

the easiest way is to create a form: 

from django import forms

class SingleForm(forms.Form):
    user_comment = forms.CharField(max_length=100)

then 

comment = SingleForm(request.POST or None)
if comment.is_valid():
    # here everything is cleaned and safe

or you want to do it without a form?

👤doniyor

1👍

Regarding code injection, you can use bleach to sanitize user input:

>>> import bleach
>>> bleach.clean('an <script>evil()</script> example')
u'an &lt;script&gt;evil()&lt;/script&gt; example'

You can find more information about security on the official Django documentation:

👤César

Leave a comment