Home/ Questions/Q 8423835
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-10T03:50:02+00:00

My question involves passing variables from the template to view in Django. I know

  • 0

My question involves passing variables from the template to view in Django.

I know of passing variables in the URL and through a form. The problem I have with the first one is that the url could be manipulated which is not what I want. Is there anyway to prevent that?

Right now this is what I have as a band-aid:

<form action="/match/" method="post">
{% csrf_token %}

<input type="hidden" name="name1" value="{{ male_results }}">
<input type="hidden" name="userid1" value="{{ male_pic_userid }}">

<input type="hidden" name="name2" value="{{ female_results }}">
<input type="hidden" name="userid2" value="{{ female_pic_userid }}">

<input type="submit" value="Submit" />
</form>

Is there a way to avoid having to use this? Thank you!

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    There are broadly 3 ways to hold onto this kind of information:

    Session (my suggestion for your situation)

    Just stuff the data you want into the request.session dictionary; it’ll persist per-user, and you can access it easily:

    # view1
request.session['name1'] = male_results
request.session['userid1'] = male_pic_userid

# view2 (or elsewhere in view1)
male_results = request.session.get('name1')
male_pic_userid = request.session.get('userid1')

    Advantages

    • No changes needed to your templates (except removing your now-unnecessary forms).
    • Clean URLs
    • Persists even through closing and re-opening the browser window
    • You don’t need to worry about users modifying or even seeing the session data (it’s way more secure)

    Disadvantages

    • As with POST, page content is dictated by the URL and session data — URLs are no longer unique, and users can’t share a particular page that relies on session info

    Query parameters

    Something like /match/?name1=foo1&userid1&name2=bar&userid2=2. You can either add these manually (<a href='/match/?name1={{ male_results }}...) or by changing your POST form to GET.

    Advantages

    • These URLs can be shared and bookmarked; if it’s a list with filtering options, this is probably desirable (“Here’s the list of cars I like” posted to Facebook, etc.)

    Disadvantages

    • As you’ve already noted, these can be freely modified by the user
    • Adding these to every URL is a massive pain

    POST form (your current approach)

    Advantages

    • A little more hidden (nothing user-visible without some kind of browser extension)
    • Slightly harder to manipulate (though don’t rely on this security-through-obscurity)
    • Cleaner URLs

    Disdvantages

    • Leads to “this page has expired” messages on Internet Explorer if you use your browser’s “back” button …
    • … and “Are you sure you want to re-send this data” messages on most browsers if users try to reload any of your pages
    • All this state information will be lost if a user re-opens the page (pressing “return” in the URL bar, for instance)
    • Users can’t share the exact page they’re looking at; the content is partly determined by non-user-visible information
    • Adding POST data to every navigation action is a huge pain.
    • 0