Django & HTML POST security
Posted: Tue Apr 17, 2012 8:09 pm
I'm just getting going on this portion/code for my project, and I'd like to see what suggestions/resources you guys know of:
I need to get listings into my database in order for django to display them on the web page.
I also plan to build schedules based on the data in the DB.
There are handy dandy methods to download the data to an XML format, which I'm planning on using.
Different sets of listings can be associated with each different capture device.
Consider the following problem/method:
Currently, things are built so listings are individually downloaded for each capture device (regardless of repetition) because the settings are locally saved at the moment, and then are forwarded in XML form on to the web server via an HTTP POST - the web server will then parse the XML into the database, and account for things such as capture devices sharing channels, etc.
Here's the problem. I want to generate the HTTP POST using liburl2... Do you have any suggestions for where I should start to add a method to provide for some kind of authentication. If I write everything carefully, I think I can prevent anyone from injecting malicious code, but without authentication there's still the opportunity to prank by uploading bogus listings.
Any thoughts?
(Now, I need to write my code to parse the XML properly.)
[EDIT] I may also find that I want to change approaches. If I upload listings settings information once and make the server handle all of the listings grabbing, I can make it account for shared channels and such so that it only has to grab each thing once, and only generates traffic from the web to the server. This may be the better option for specifically the listings. The authentication aspect still applies.
I need to get listings into my database in order for django to display them on the web page.
I also plan to build schedules based on the data in the DB.
There are handy dandy methods to download the data to an XML format, which I'm planning on using.
Different sets of listings can be associated with each different capture device.
Consider the following problem/method:
Currently, things are built so listings are individually downloaded for each capture device (regardless of repetition) because the settings are locally saved at the moment, and then are forwarded in XML form on to the web server via an HTTP POST - the web server will then parse the XML into the database, and account for things such as capture devices sharing channels, etc.
Here's the problem. I want to generate the HTTP POST using liburl2... Do you have any suggestions for where I should start to add a method to provide for some kind of authentication. If I write everything carefully, I think I can prevent anyone from injecting malicious code, but without authentication there's still the opportunity to prank by uploading bogus listings.
Any thoughts?
(Now, I need to write my code to parse the XML properly.)
[EDIT] I may also find that I want to change approaches. If I upload listings settings information once and make the server handle all of the listings grabbing, I can make it account for shared channels and such so that it only has to grab each thing once, and only generates traffic from the web to the server. This may be the better option for specifically the listings. The authentication aspect still applies.