I am following Web2py’s book on SQLFORM in HTML.
http://web2py.com/books/default/chapter/29/07#SQLFORM
However, I cannot seem to figure it out. I have set the hidden field name="_formname" and its value to test. The form seems to not be processed. Here is my code:
test.html:
<form action="" method="post">
<ul>
<li>Your name is <input name="name" /></li>
</ul>
<input type="submit" />
<input type="hidden" name="_formname" value="test" />
</form>
controller/default/test.py:
def test():
form = SQLFORM(db.person)
if form.process(formname='test').accepted:
session.flash = T('Succeeded.')
redirect(URL('index'))
elif form.errors:
response.flash=T('Form has errors.')
return dict()
model/db.py:
db.define_table('person',
Field('name', requires=IS_NOT_EMPTY()))
Notice the book example includes the following:
In the above, setting
session=Nonedisables the hidden “_formkey” field, which is used for protection against CSRF attacks and double form submission. However, in your code, you did not setsession=None, which means when the form is processed upon submission, it is expecting to receive the hidden “_formkey” value. When the value is not found, the processing fails, though it will not generate anyform.errors, so your error condition will not be triggered. To replicate the book example exactly, you must setsession=None. Otherwise, if you want to retain the CSRF protection (which is a good idea), you can add the following to the form HTML:You will also have to modify the controller function to return the formkey value for use in the view: