王筝的博客
ruby学习
virtualenv 安装文档
Django Hello World步骤
  • virtualenv helloworld
  • source helloworld/bin/activate
  • pip install Django
  • django-admin.py startproject helloproject
  • cd helloproject
  • python manage.py startpapp app1
  • vim helloproject/urls.py
  • vim app1/views.py -> 增加def hello(request)  return HttpResponse(“Hello World”)
  • python manage.py runserver

 

django程序的html页面中form的method=’post’的时候报错

Forbidden (403) CSRF verification failed. Request aborted.Help Reason given for failure: CSRF token missing or incorrect.

In general, this can occur when there is a genuine Cross Site Request Forgery, or when Django’s CSRF mechanism has not been used correctly. For POST forms, you need to ensure: Your browser is accepting cookies. The view function uses RequestContext for the template, instead of Context. In the template, there is a {% csrf_token %} template tag inside each POST form that targets an internal URL. If you are not using CsrfViewMiddleware, then you must use csrf_protect on any views that use the csrf_token template tag, as well as those that accept the POST data. You’re seeing the help section of this page because you have DEBUG = True in your Django settings file. Change that to False, and only the initial error message will be displayed. You can customize this page using the CSRF_FAILURE_VIEW setting.

处理方法可以先屏蔽 修改web2的settings,屏蔽第100行的中间层csrf 97 MIDDLEWARE_CLASSES = (

98 ‘django.middleware.common.CommonMiddleware’,

99 ‘django.contrib.sessions.middleware.SessionMiddleware’,

100 #’django.middleware.csrf.CsrfViewMiddleware’,

当然这个方法是不可取的,

先把csrf屏蔽的内容开启 按照上面的提示操作 print req.POST的时候,会看到 [07/Jun/2014 21:15:41] “GET /post_add/ HTTP/1.1″ 200 602

<QueryDict:{………,u’csrfmiddlewaretoken':[u’I5Jwkfkdsjkgjgfgz’]}….>

CSRF(Cross-site request forgery跨站请求伪造,也被称为“one click attack”或者session riding,攻击通过在授权用户访问的页面中包含链接或者脚本的方式工作。例如:一个网站用户Bob可能正在浏览聊天论坛,而同时另一个用户Alice也在此论坛中,并且后者刚刚发布了一个具有Bob银行链接的图片消息。设想一下,Alice编写了一个在Bob的银行站点上进行取款的form提交的链接,并将此链接作为图片tag。如果Bob的银行在cookie中保存他的授权信息,并且此cookie没有过期,那么当Bob的浏览器尝试装载图片时将提交这个取款form和他的cookie,这样在没经Bob同意的情况下便授权了这次事务。

风险在于那些通过基于受信任的输入form和对特定行为无需授权的已认证的用户来执行某些行为的web应用。已经通过被保存在用户浏览器中的cookie进行认证的用户将在完全无知的情况下发送HTTP请求到那个信任他的站点,进而进行用户不愿做的行为。

对于初学者来说,解决方案就是提示信息中所提示的添加一个{%csrf_token%},

具体位置就在<form action=’/post_add/’ method=’post’ enctype=”multipart/form-data”>{%csrf_token%}

$

$django-admin.py startproject web2

$cd web2/

$python manage.py startapp blog

$vim web2/settings.py

注意settings.py以下两个部分,首先要配置数据库,其次要在INSTALLED_APP里添加刚才新建的app

DATABASES = {

‘default': {

‘ENGINE': ‘django.db.backends.mysql’,

‘NAME': ‘dj_db01′,

‘USER': ‘root’,

‘PASSWORD': ”,

‘HOST': ‘localhost’,

‘PORT': ”,

}

}

INSTALLED_APPS = (

‘django.contrib.auth’,

‘django.contrib.contenttypes’,

‘django.contrib.sessions’,

‘django.contrib.sites’,

‘django.contrib.messages’,

‘django.contrib.staticfiles’,

‘blog’,

‘django.contrib.admin’,

‘django.contrib.admindocs’,

)

接下来编辑models.py

$vim blog/models.py

from django.db import models

在mysql里新建对应的数据库

mysql> create database dj_db01 default charset utf8;

现在可以自动生成各种表啦

$python manage.py syncdb

$vim web2/urls.py

from django.conf.urls import patterns, include, url

from django.contrib import admin

admin.autodiscover()

urlpatterns = patterns(”,

url(r’^blog/$’, ‘blog.view.index’),

)

$mkdir blog/static/images

然后从别的地方拷贝过来一张图,这里我拷贝过来的img2.jpg

现在来编辑一下页面

$mkdir blog/templates

$vim blog/templates/index.html

<h1>hello</h1>

<img src=’/static/images/img2.jpg’/>

运行一下:

$python manage.py runserver 3900