Forms¶

Django provides a rich framework to facilitate the creation of forms and the manipulation of form-data. In our main directory (website) we create a python file, named “forms.py” were we place the code for the forms we require.

Project’s Forms¶

Note

The Form’s variables we are going to declare must have the same name with the <input … name=”username” … />

The Register form¶

To access the services of our website, the user must register by completing the form presented when clicking the “sign up” button in the nav-bar. When pressed, the form fields will replace the products shown in the index page. To create the form, we access the “forms.py” file and write down the required code and the fields we want the user to fill in :

from django import forms

class RegistrationForm(forms.Form):
    username = forms.CharField(max_length=45)
    email = forms.EmailField()
    password1 = forms.CharField(max_length=45)
    password2 = forms.CharField(max_length=45)
    .....

The Login Form¶

In order to login in our website, one must complete the required credentials of the login form, which are contained in the “login modal” that is activated when the user presses the “sign in” button in the navbar. To create the form, we access the “forms.py” file and write down the required code and the fields we want the user to fill in :

....
class LoginForm(forms.Form):
    username = forms.CharField(max_length=45)
    password = forms.CharField(max_length=45)
    ....

General Rule¶

Create the form class with the form fields you require
In the template file don’t forget to give the same name to the form elements

In the views.py when you want to handle forms use the following code:

if request.method == 'POST':
    form = RegistrationForm(request.POST)
    if form.is_valid():

And finally to get a field value use:
```
form.cleaned_data[...]
```

The CSRF Token¶

“The CSRF middleware and template tag provides easy-to-use protection against Cross Site Request Forgeries. This type of attack occurs when a malicious website contains a link, a form button or some JavaScript that is intended to perform some action on your website, using the credentials of a logged-in user who visits the malicious site in their browser. A related type of attack, ‘login CSRF’, where an attacking site tricks a user’s browser into logging into a site with someone else’s credentials, is also covered. The first defense against CSRF attacks is to ensure that GET requests are side effect free. In any template that uses a POST form, use the csrf_token tag inside the <form> element if the form is for an internal URL, e.g.

....
<form method="post" ...>
    {% csrf_token %}
    .....
</form>

This should not be done for POST forms that target external URLs, since that would cause the CSRF token to be leaked, leading to a vulnerability.

Handling Forms¶

When the user makes a POST request a view function is called and by typing the following code:

if request.method == 'POST':
    form = RegistrationForm(request.POST)
    if form.is_valid():

we can process the given data anyway we want. Most of the time is to make a query on our database.

To get each POST parameter we must use:

form.cleaned_data[form_field_name]

This data has not only been validated but will also be converted in to the relevant Python types for you.