#django

so I got my script done, I'm able to do hook it to a database and so on, but before I go too far I wanna make it secure

and apparently important stuff should be outside root dir

and I don't understand this concept at all

the kid, where would you start? regular js?

the secret key is in root?

"import stuff should be outside root dir" sounds like a php-ism

bulls: what did you mean by that?

umm, that anything inside the root is "exposed" and possibly viewable

and you're not supposed to have scripts there

no that's php

chupacabra_pirat, What ever works best for you

ok

so I don't need to put my sqlite3 database outside root either?

bulls: no python code is exposed with a django setup, unless you tell your webserver to do so :)

that's a relief

and you'd have to go out of your way to deliberately do that too

thanks! that was a great help!!! hope that soon i will be able to contribute a little myself

chupacabra_pirat, You could start by building the dynamic parts and then skin it with html, css, and javascript

so, if i need somthing dynamic on the front end

like getting from the used unknown number of arguments. that's with the js on the front end? no way to support it on the backend?

chupacabra_pirat, I have yet to use ipython notebook

chupacabra_pirat, so I can't be of much help on that one. Though I think that it works more of you provide the code directly in the html and it runs it in the browser

the kid, you mean the p notebook right?

chupacabra_pirat, Yes

that put aside, with ragular js or front end that you know, what would be the general way of doing what i need here?

chupacabra_pirat, I'm not a big fan of front-end development so I focus on building out the back-end and then once I have that all setup I start making it look pretty with JS, CSS, and HTML

sorry for asking many times, i dont realy understand the answer, so, if your would need to get unknows number of arguments, what will you use? i tried using formsets in django to get unknown number of queries, but it forces me to get one kind of queries and not allowing me to get some unknown types of queries

chupacabra_pirat, You would need to provide us with a sample of how you want it to work before we could give more direct suggestions

cool. lets say that you are dealt with cards. unknows number of cards from a single deck

you are able to say, that you want to have not more then X cards in a specific color, (or not less, or just exactly)

and able to say that you want a specific card to be present, or not present

chupacabra_pirat, do you need to save anything to a database?

nope

maybe users and some statistics later,

but not now, no

chupacabra_pirat, Thats going to make this easier

cool. i like easier

If I have a ForeignKey pointing to a base model, can I store child models in the Foreignkey in the end ?

chupacabra_pirat, javascript can create a dynamic form setup for you, in the view you could extract the variables passed in from your html

so, that will be in regular js or in some specific framwork?

chupacabra_pirat, you could go both ways for that. Maybe easier in a framework though.

specific recommendation?

angular js? react?

i recommend react

you don't necessarily need a js framework though you could easily just write your frontend with django templates

it's a bit easier

a fair bit easier to write if you've never done js front ends

naaa I'm gonna have to look into this more

"Make sure that your Python code is outside of the Web server’s root. This will ensure that your Python code is not accidentally served as plain text (or accidentally executed)."

shangxiao - thanks!

you all have been great, gave me some good directions.

this site I'm making is guaranteed to have some people try to hack it... can't take any risks and this quote is from djangotutorial's first page

bulls: where did you read that? no django project i've ever setup has been inside a server's root

bulls: it's simple... your code is code, not content... so don't put it anywhere the web server looks for content

oh actually this quote is not tutorial's first page... it's https://docs.djangoproject.com/en/1.9/topics/se...

but tutorial first page also has a similar comment

oh ok

i guess that's a warning for php devs

if you've never web programming before, and you start with django, then there'd be no reason to even think the code goes in the web root :D

yea I understand if it seems paranoid, but I've seen nice projects destroyed by sql injections and whatnot

I suppose it's a bit unusual then

but being new to it is also why I take the warnings in tutorials seriously :)

yes it's good to think security first, not enough do!

so i applaud you ;)

Django makes it rather hard to enable sql injections

django makes it _really_ hard

although it's still possible

it is, but you have to work at it

raw queries with concatenated strings, for eg

Always possible

if you ever are substing values into a SQL string yourself... don't.

i have this 3rd party library that adds some views to the django admin. they rely on jquery and try to load it from /static/admin/js/jquery.js. but in django 1.9 the jquery files were moved to /static/admin/js/vendor/jquery/jquery.js. so my question is: what is the recommended way to have jquery loaded from .../js/ in <1.9 and from .../js/vendor/jquery/ in >=1.9?

FunkyBob: just had a thought: a static code analyzer could pick that up easily

shangxiao: possibly

i know such tools exist for rails, i wonder if any exist for django

philippbosch, You should reach out to the 3rd party dev to update for 1.9

The-Kid: +1

I'm going to make a search function so the users can find <previously uploaded files> based on data that was parsed from them and saved

that includes quotes, strings

The-Kid, I did, but no reaction. so i wanted to du a pull request

s/du/do/

The-Kid, what would you recommend to the 3rd party devs if they wanted to keep it backwards compatible?

philippbosch, I'm not sure because it could take a rather large amount of retooling of the application

The-Kid, no, it's just the jquery path that needs to change. everything else is 1.9 compatible

and I guess I shouldn't look at django.VERSION and decide what the path should be

philippbosch: why not?

for something like that looking at the version is ok

ok. but it's probably not available in the template context, is it?

philippbosch, That sounds like a good idea

philippbosch: no, so make the decision in the view or in a context processor [blech]

Hi everyone.

omarek: !

Trying to set up django-registration. Quickstart file says I should have a 'base.html' template in my PROJECT'S template directory, so I made templates/base.html in PROJECT's directory. https://github.com/macropin/django-registration... . But I see it's looking for base.html in polls/templates/polls/base.html . Documentation error ?

FunkyBob: You probably know what my presence here means - another job interview XD

omarek: tht's good, right? :)

if you really alled it 'base.html' then it will not look for 'polls/base.html'

though it will look in poll/templates/base.html

you remember... each template dir is searched for a file with that name

template-loading post-mortem: http://dpaste.com/0Y429FH

I'm just being picky as usual. django-registration says I put it in PROJECT's template directory, but post-mortem seems to prefer app's directory.

/polls/templates/base.html

see? _NOT_ polls/templates/polls/base.html as you said

omarek: you're not listening.... it doesn't matter _which_ dir you put it in

Django will always search the same dirs for templates

all the DIRS you liste, and templates/ inside each app dir

omarek: where did you create the template, anyway?

So why is it not happy with the `base.html` file in this location ? http://dpaste.com/1C86C55

In this case, templates/ is in the same directory as manage.py