首页 > 代码库 > CSRF

CSRF

 

注:在django中,如果setting里面# ‘django.middleware.csrf.CsrfViewMiddleware‘,被注释,则没有csrf限制,

  否则有csrf限制。

  如果有csrf有限制或无限制,应用时2则有以下解决方案:

技术分享
<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <title>Title</title>
</head>
<body>
    <form method="POST" action="/csrf1.html/">
        {% csrf_token %}
        <input type="text" name="user">
        <input type="submit" value=http://www.mamicode.com/"提交"/>
    </form>
</body>
</html>
csrf.html
技术分享
"""day73 URL Configuration

The `urlpatterns` list routes URLs to views. For more information please see:
    https://docs.djangoproject.com/en/1.10/topics/http/urls/
Examples:
Function views
    1. Add an import:  from my_app import views
    2. Add a URL to urlpatterns:  url(r‘^$‘, views.home, name=‘home‘)
Class-based views
    1. Add an import:  from other_app.views import Home
    2. Add a URL to urlpatterns:  url(r‘^$‘, Home.as_view(), name=‘home‘)
Including another URLconf
    1. Import the include() function: from django.conf.urls import url, include
    2. Add a URL to urlpatterns:  url(r‘^blog/‘, include(‘blog.urls‘))
"""
from django.conf.urls import url
from django.contrib import admin

from app01 import views


urlpatterns = [
   
    url(r^csrf1,views.csrf1),
]
urls
技术分享
"""
Django settings for day73 project.

Generated by ‘django-admin startproject‘ using Django 1.10.6.

For more information on this file, see
https://docs.djangoproject.com/en/1.10/topics/settings/

For the full list of settings and their values, see
https://docs.djangoproject.com/en/1.10/ref/settings/
"""

import os

# Build paths inside the project like this: os.path.join(BASE_DIR, ...)
BASE_DIR = os.path.dirname(os.path.dirname(os.path.abspath(__file__)))


# Quick-start development settings - unsuitable for production
# See https://docs.djangoproject.com/en/1.10/howto/deployment/checklist/

# SECURITY WARNING: keep the secret key used in production secret!
SECRET_KEY = ct2d2^2k(l&%n@96xsd9y#0@!^_5a^peanb69ndouz&gx6%n3o

# SECURITY WARNING: don‘t run with debug turned on in production!
DEBUG = True

ALLOWED_HOSTS = []


# Application definition

INSTALLED_APPS = [
    django.contrib.admin,
    django.contrib.auth,
    django.contrib.contenttypes,
    django.contrib.sessions,
    django.contrib.messages,
    django.contrib.staticfiles,
    app01.apps.App01Config,
]

# csef设置地方如下:

MIDDLEWARE = [
    django.middleware.security.SecurityMiddleware,
    django.contrib.sessions.middleware.SessionMiddleware,
    django.middleware.common.CommonMiddleware,
   #‘django.middleware.csrf.CsrfViewMiddleware‘,
    django.contrib.auth.middleware.AuthenticationMiddleware,
    django.contrib.messages.middleware.MessageMiddleware,
    django.middleware.clickjacking.XFrameOptionsMiddleware,
]




ROOT_URLCONF = day73.urls

TEMPLATES = [
    {
        BACKEND: django.template.backends.django.DjangoTemplates,
        DIRS: [os.path.join(BASE_DIR,templates)]
        ,
        APP_DIRS: True,
        OPTIONS: {
            context_processors: [
                django.template.context_processors.debug,
                django.template.context_processors.request,
                django.contrib.auth.context_processors.auth,
                django.contrib.messages.context_processors.messages,
            ],
        },
    },
]

WSGI_APPLICATION = day73.wsgi.application


# Database
# https://docs.djangoproject.com/en/1.10/ref/settings/#databases

# DATABASES = {
#     ‘default‘: {
#         ‘ENGINE‘: ‘django.db.backends.sqlite3‘,
#         ‘NAME‘: os.path.join(BASE_DIR, ‘db.sqlite3‘),
#     }
# }

DATABASES = {
    default: {
        ENGINE: django.db.backends.mysql,
        NAME: ff3,
        USER: root,
        PASSWORD: ‘‘,
        HOST: localhost,
        PORT: 3306,
    }
}




# Password validation
# https://docs.djangoproject.com/en/1.10/ref/settings/#auth-password-validators

AUTH_PASSWORD_VALIDATORS = [
    {
        NAME: django.contrib.auth.password_validation.UserAttributeSimilarityValidator,
    },
    {
        NAME: django.contrib.auth.password_validation.MinimumLengthValidator,
    },
    {
        NAME: django.contrib.auth.password_validation.CommonPasswordValidator,
    },
    {
        NAME: django.contrib.auth.password_validation.NumericPasswordValidator,
    },
]


# Internationalization
# https://docs.djangoproject.com/en/1.10/topics/i18n/

LANGUAGE_CODE = en-us

TIME_ZONE = UTC

USE_I18N = True

USE_L10N = True

USE_TZ = True


# Static files (CSS, JavaScript, Images)
# https://docs.djangoproject.com/en/1.10/howto/static-files/

STATIC_URL = /static/
STATICFILES_DIRS =(
    os.path.join(BASE_DIR,static),
)
settings设置


#******************基本应用**********************
# a.(HTML表单中form表单添加)
    # { % csrf_token %}
# def csrf1(request):
#     if request.method == ‘GET‘:
#         return render(request,‘csrf1.html‘)
#     else:
#         return HttpResponse(‘哥们干啥来了‘)
# *********************************************** 
#******************全站禁用***********************
# b.(settings设置里面)
# ‘django.middleware.csrf.CsrfViewMiddleware‘,
#************************************************
#******************局部禁用***********************
# c.(全站使用前提下可以使用局部禁用)
# ‘django.middleware.csrf.CsrfViewMiddleware‘,
# from django.views.decorators.csrf import csrf_exempt
# @csrf_exempt
# def csrf1(request):
#     if request.method == ‘GET‘:
#         return render(request, ‘csrf1.html‘)
#     else:
#         return HttpResponse(‘ok‘)
# ************************************************
# ****************局部使用*************************
# d.(全站使用前提下可以使用局部使用)
# ‘django.middleware.csrf.CsrfViewMiddleware‘,
# from django.views.decorators.csrf import csrf_protect
# @csrf_protect
# def csrf1(request):
#     if request.method == ‘GET‘:
#         return render(request, ‘csrf1.html‘)
#     else:
#         return HttpResponse(‘ok‘)
# ************************************************
#****************CBV中添加装饰器********************
# def wrapper(func):
#     def inner(*args,**kwargs):
#         return func(*args,**kwargs)
#     return inner
# 1. 指定方法上添加装饰器
    # class Foo(View):

    #     @method_decorator(wrapper)
    #     def get(self,request):
    #         pass

    #     def post(self,request):
    #         pass
# 2. 在类上添加
    #     @method_decorator(wrapper,name=‘dispatch‘)     #全部类添加
    #     @method_decorator(wrapper, name=‘get‘)         # 只给get添加
    #     @method_decorator(wrapper, name=‘post‘)        # 只给post添加
    #     class Foo(View):

    #         def dispatch(self,request,*args,**kwargs)
    #               pass

    #         def get(self,request):
    #             pass

    #         def post(self,request):
    #             pass
#************************************************

  

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

CSRF