Monday, November 15, 2010

Re: Dynamic user-filtered search

Ok, so I wrote some UNPROTECTED jquery/django code to pass filters to
the database. Through a combination of drop down boxes and user input
boxes (exactly like you would see in iTunes), I am using jquery to
construct the filter.

As an example, let's say the user selects in the first drop down:
"Year". For the second drop down: "is". The last is an input box
where the user enters "2005." This criteria is put into an array/

{"includes": [["year__iexact", "2005"]],
"excludes": []},

"includes"/"excludes" separates the criteria like "is", "is before"
from things like "is not"
"all" designates that the filter should "match all", not "match any"

This is converted to JSON:
and posted to django.

The view in django then puts the data into the filter:
incdict[ filter[0].encode('utf-8') ] = filter[1].encode('utf-8')

This becomes:
incdict[ 'year__iexact' ] = 2005

That is fed into the query:
query_set = Film.objects.filter(**incdict)

Ok, I hope that was clear. What I ask now is how to protect against
the unscrupulous user who seeps to bypass/exploit the input. Do I
need to escape special characters? Data validation? What is the best
way to protect the system?


On Nov 12, 7:27 am, Masklinn <> wrote:
> On 2010-11-12, at 13:20 , Ed wrote:
> > It seems simple from a SQL point of view, but I'm wondering what the
> > best implementation would be from to go from a django form to MySQL.
> > The above is an example.  In practice, I would want to dynamically
> > populate the filter criteria/fields. Any suggestions on a starting
> > point?
> Create a strict translator (remember that your users can and will try to bypass/exploit whatever you give them, including selects) from whatever your form returns to a dict, which will be sent to .filter as a **kwargs?

You received this message because you are subscribed to the Google Groups "Django users" group.
To post to this group, send email to
To unsubscribe from this group, send email to
For more options, visit this group at


Post a Comment

Subscribe to Post Comments [Atom]

<< Home

Real Estate