What is a more efficient way to pass variables from Template to View in Django?

Question

My question involves passing variables from the template to view in Django.

I know of passing variables in the URL and through a form. The problem I have with the first one is that the url could be manipulated which is not what I want. Is there anyway to prevent that?

Right now this is what I have as a band-aid:

<form action="/match/" method="post">
{% csrf_token %}

<input type="hidden" name="name1" value="{{ male_results }}">
<input type="hidden" name="userid1" value="{{ male_pic_userid }}">

<input type="hidden" name="name2" value="{{ female_results }}">
<input type="hidden" name="userid2" value="{{ female_pic_userid }}">

<input type="submit" value="Submit" />
</form> 

Is there a way to avoid having to use this? Thank you!

Answer 1

There are broadly 3 ways to hold onto this kind of information:

Session (my suggestion for your situation)

Just stuff the data you want into the request.session dictionary; it'll persist per-user, and you can access it easily:

# view1
request.session['name1'] = male_results
request.session['userid1'] = male_pic_userid

# view2 (or elsewhere in view1)
male_results = request.session.get('name1')
male_pic_userid = request.session.get('userid1')

Advantages

• No changes needed to your templates (except removing your now-unnecessary forms).
• Clean URLs
• Persists even through closing and re-opening the browser window
• You don't need to worry about users modifying or even seeing the session data (it's way more secure)

Disadvantages

• As with POST, page content is dictated by the URL and session data — URLs are no longer unique, and users can't share a particular page that relies on session info

Query parameters

Something like /match/?name1=foo1&userid1&name2=bar&userid2=2. You can either add these manually (<a href='/match/?name1={{ male_results }}...) or by changing your POST form to GET.

Advantages

• These URLs can be shared and bookmarked; if it's a list with filtering options, this is probably desirable ("Here's the list of cars I like" posted to Facebook, etc.)

Disadvantages

• As you've already noted, these can be freely modified by the user
• Adding these to every URL is a massive pain

POST form (your current approach)

Advantages

• A little more hidden (nothing user-visible without some kind of browser extension)
• Slightly harder to manipulate (though don't rely on this security-through-obscurity)
• Cleaner URLs

Disdvantages

• Leads to "this page has expired" messages on Internet Explorer if you use your browser's "back" button ...
• ... and "Are you sure you want to re-send this data" messages on most browsers if users try to reload any of your pages
• All this state information will be lost if a user re-opens the page (pressing "return" in the URL bar, for instance)
• Users can't share the exact page they're looking at; the content is partly determined by non-user-visible information
• Adding POST data to every navigation action is a huge pain.

Answer 2

There are three ways to get data from an html page into the server backend: URL (GET), Form (POST), and Cookies.

Any of the three may be manipulated so you need to validate everything on the server every time no matter what.

In terms of efficiency, per your post title, URL (GET) variables a slightly more efficient since form data goes through a mild amount of encoding before it is sent on to the server.

Under normal usage the standard is to use URL (GET) variables when you are retrieving data from the server and to use Form (POST) variables when you want to manipulate (edit/delete) data on the server.