Forum OpenACS Q&A: Howto sign an ad

Forum OpenACS Q&A: Howto sign an ad_form variable

Posted by Randy O'Meara on 07/17/03 03:56 AM

I would like to sign and ad_form hidden variable to reduce the probability of unauthorized twiddling. Can anyone show me the proper syntax for doing this? Here's what I'm using and the error I'm seeing:

code

    ad_form -name cmd -cancel_url $return_url -form {
        cmd_id:key
        {return_url:text(hidden) {value $return_url}}

        {id_grp:integer(hidden) {sign} {value $id_grp}}
    ...

resulting error

can't use empty string as operand of "&&"
    while executing
"if { [string equal $opts(widget) hidden] 
       && [info exists opts(sign)] 
       && $opts(sign)
   } { 
      if {[info exists opts(value)] } {
  ..."
    (procedure "template::element::create" line 71)
    invoked from within
"template::element::create cmd id_grp -datatype integer -widget hidden -sign {} -value 0"
    ("eval" body line 1)
    invoked from within
"eval template::element::$command $form_id $element_id $args"
...

Thanks,

Randy

2: Re: Howto sign an ad_form variable (response to 1)

Posted by Randy O'Meara on 07/17/03 06:38 AM

I played around a bit and found that, if I include a numeric value in the {sign} list, it seems to be interpreted as a boolean value that causes the variable to be signed if the value is true and not signed if the value is false. I determined this by looking at the generated html form.

So, if I do {sign 1} (any non-zero value will do) then the html form contains, in addition to the id_grp value, another element:

<input type="hidden" name="id_grp:sig" value="someLongSigString" />

If if do {sign 0}, the id_grp:sig element does not appear.

Is this the right way to do this?