librelist archives

« back to archive

Form Validation with Files Attached

Form Validation with Files Attached

From:
Gary Chambers
Date:
2014-03-19 @ 14:46
All,

I would appreciate some advice on how you handle form validation with file
attachments.

I maintain an application that I wrote in another language that validates
several fields of input on one page before rendering a second page where any
file attachments relevant to the first page may be submitted.  I designed it
this way to prevent the (possibly large-ish) attachments from being sent
with every resend in the case of validation failure on the first page.

The application exclusively uses plain HTML and server-side validation.  I
intend to migrate this application to Flask, but I'd like to handle
validation and file attachment more eloquently and would appreciate any
advice for doing so.  If it matters, my Javascript abilities are severely
limited.

Thank you.

--
G.

Re: [flask] Form Validation with Files Attached

From:
Shawn Milochik
Date:
2014-03-19 @ 14:52
The easiest answer, (and this question has nothing to do with Flask), is to
do it they way you're already doing it. You could get fancy and save the
file and remember it, hiding the upload on the form reload, or putting up a
message to only upload a file if they want to change it, and maybe show the
filename of the already uploaded file. But this isn't a Flask question.

Re: [flask] Form Validation with Files Attached

From:
David Baumgold
Date:
2014-03-19 @ 14:51
Flask doesn’t handle form validation, but it can integrate with other 
libraries that do. The most well-known of these in the Flask community is 
WTForms, and there is a package called Flask-WTF that integrates nicely 
with it: https://flask-wtf.readthedocs.org. Does that solve your problem?
-David Baumgold



On Wednesday, March 19, 2014 at 10:46 AM, Gary Chambers wrote:

> All,
>  
> I would appreciate some advice on how you handle form validation with file
> attachments.
>  
> I maintain an application that I wrote in another language that validates
> several fields of input on one page before rendering a second page where any
> file attachments relevant to the first page may be submitted. I designed it
> this way to prevent the (possibly large-ish) attachments from being sent
> with every resend in the case of validation failure on the first page.
>  
> The application exclusively uses plain HTML and server-side validation. I
> intend to migrate this application to Flask, but I'd like to handle
> validation and file attachment more eloquently and would appreciate any
> advice for doing so. If it matters, my Javascript abilities are severely
> limited.
>  
> Thank you.
>  
> --
> G.
>  
>  

Re: [flask] Form Validation with Files Attached

From:
Gary Chambers
Date:
2014-03-19 @ 14:56
David,

> Flask doesn’t handle form validation, but it can integrate with other
> libraries that do. The most well-known of these in the Flask community is
> WTForms, and there is a package called Flask-WTF that integrates nicely
> with it: https://flask-wtf.readthedocs.org. Does that solve your problem?

No, thank you, and I apologize for omitting that I will be using Flask-WTF.

Am I mistakenly assuming that, regardless of whether or not I use wtforms,
the file attachments will be sent upon submission, even if it does not pass
validation?

--
G.

Re: [flask] Form Validation with Files Attached

From:
David Baumgold
Date:
2014-03-19 @ 15:25
There’s two different kinds of validation: client-side validation, and 
server-side validation. WTForms does server-side validation, which occurs 
after the client has submitted a form, including sending file attachments.
Client-side validation is done in Javascript, and it consists of setting 
an event handler for when the user tries to submit the form, checking the 
validity of that form, and if the form is invalid, blocking the form 
submission and highlighting the error. Because the form submission is 
blocked on the client-side, file attachments do not get sent for 
client-side validation.

There are several Javascript libraries out there that will help you handle
client-side validation, but as Shawn pointed out, this has nothing to do 
with Flask specifically. In addition, you should know that a smart user 
can get around client-side validation, but not server-side validation — so
if you’re concerned about security, you need server-side validation, not 
just client-side.
-David



On Wednesday, March 19, 2014 at 10:56 AM, Gary Chambers wrote:

> David,
>  
> > Flask doesn’t handle form validation, but it can integrate with other
> > libraries that do. The most well-known of these in the Flask community is
> > WTForms, and there is a package called Flask-WTF that integrates nicely
> > with it: https://flask-wtf.readthedocs.org. Does that solve your problem?
> >  
>  
>  
> No, thank you, and I apologize for omitting that I will be using Flask-WTF.
>  
> Am I mistakenly assuming that, regardless of whether or not I use wtforms,
> the file attachments will be sent upon submission, even if it does not pass
> validation?
>  
> --
> G.
>  
>  

Re: [flask] Form Validation with Files Attached

From:
Shawn Milochik
Date:
2014-03-19 @ 15:19
On Wed, Mar 19, 2014 at 10:56 AM, Gary Chambers <gwchamb@gwcmail.com> wrote:

>
> No, thank you, and I apologize for omitting that I will be using Flask-WTF.
>
> Am I mistakenly assuming that, regardless of whether or not I use wtforms,
> the file attachments will be sent upon submission, even if it does not pass
> validation?
>
>
Yes, uploaded files in a form submission are included in the POST data.
Again, this still has nothing to do with Flask, or WTForms. I'm not saying
that to say you're wasting time on this list -- just to point out that this
is standard web stuff that using these tools can not change. I want to make
sure that you don't think using Flask will somehow limit you, or somehow
magically fix an unrelated problem.

Re: [flask] Form Validation with Files Attached

From:
Emanuil Tolev
Date:
2014-03-19 @ 15:20
The file *has* to be sent in order to be validated at all. The bits have to
go from the user's browser to the server.

If you use WTForms validation and the file fails it, the whole form will be
declared invalid. (e.g. form.validate() will return False)
What you do with this information is then up to your view code - usually
when a form is invalid none of the information is saved, and the form
template is displayed again along with any validation errors.

This is an example of how to do WTForms file validation:
http://stackoverflow.com/questions/4058308/wtforms-validation . (The code
in the question is almost OK, just 2 variables need replacing - the answer
details what needs doing.)

I think I know what you're getting at - you're looking for a way to stop
large files from being transferred to the server, not even for validation
purposes. If this is correct, I'm afraid you're a bit limited to what
Javascript can do.. you could check filenames (for the right extensions)
and size


http://stackoverflow.com/questions/15439801/validate-file-upload-with-javascript-jquery.

If you're not keen on rolling your own and dealing with browser
compatibility (HTML5 capabilities especially), then this may help:
http://www.uploadify.com/ .

Greetings,
Emanuil


On 19 March 2014 14:56, Gary Chambers <gwchamb@gwcmail.com> wrote:

> David,
>
>
>  Flask doesn't handle form validation, but it can integrate with other
>> libraries that do. The most well-known of these in the Flask community is
>> WTForms, and there is a package called Flask-WTF that integrates nicely
>> with it: https://flask-wtf.readthedocs.org. Does that solve your problem?
>>
>
> No, thank you, and I apologize for omitting that I will be using Flask-WTF.
>
> Am I mistakenly assuming that, regardless of whether or not I use wtforms,
> the file attachments will be sent upon submission, even if it does not pass
> validation?
>
> --
> G.

Re: [flask] Form Validation with Files Attached

From:
Gary Chambers
Date:
2014-03-19 @ 15:39
Emanuil,

> I think I know what you're getting at - you're looking for a way to stop
> large files from being transferred to the server, not even for validation
> purposes. If this is correct, I'm afraid you're a bit limited to what
> Javascript can do.. you could check filenames (for the right extensions)
> and size

Precisely!  Thank you to you and David Baumgold for your helpful replies.  I
wanted to verify that there wasn't an existing pattern that Flask developers
employed to overcome the limitation and possibly respin the application for
more efficient use.

--
G.