django CSRF verification failed. Request aborted

Question

I create form on django project. I have a error csrf failed.

My wievs.py file:

def durum(request): 
    if request.method == "POST":
        adi = request.POST.get('durum')
        db = sql.connect("/usr/connect.db")
        im = db.cursor()
        db.execute("INSERT INTO durum VALUES ("+str(adi)+")")
        db.commit()
        asd = "Durum mesajı '"+str(adi)+"' olarak değiştirildi."
        return render(request, asd, {})
    else:
        BASE = os.path.dirname(os.path.abspath(__file__))
    return HttpResponse(open(os.path.join(BASE, "html/durum.html")).read())

My urls.py file:

url(r'^durum/', db.durum),

My html file:

<form action="/durum" method="post">
{% csrf_token %}
<table>
    <tr><th>Durum Mesajı:</th><td><input type="text" name="durum"/></td></tr>
     <tr><th></th><td><input type="submit" value="Ekle"/></td></tr>
</table>

first of all, you should change action="/durum" for action="." since you'll most of the time post to the same url — Alvaro, Jan 10 '15 at 15:26
2nd you are not rendering the template, so csrf token is never created. Try using return render() — Alvaro, Jan 10 '15 at 15:28
I don't understand why you're using Django at all, if you want to use flat HTML and execute SQL directly. — Daniel Roseman, Jan 10 '15 at 15:56
That wasn't my point. Why don't you actually use the functionality Django gives you? Especially as you are now completely open to SQL injection: if I post `foo;DROP TABLE durum;-- ` into your form, all your data will be deleted. — Daniel Roseman, Jan 10 '15 at 19:05

score 2 · Accepted Answer · answered Jan 10 '15 at 15:30

You should follow the "django-way" to render your template. The way your view works is sending the template as plain html instead of proccessing it. Try it this way:

def durum(request): 
if request.method == "POST":
    adi = request.POST.get('durum')
    db = sql.connect("/usr/connect.db")
    im = db.cursor()
    db.execute("INSERT INTO durum VALUES ("+str(adi)+")")
    db.commit()
    asd = "Durum mesajı '"+str(adi)+"' olarak değiştirildi."
    return render(request, asd, {})
else:
    return render('your_template_name.html', context_instance=RequestContext(request))

This way, django will proccess your template and render a correct csrf_token. I strongly suggest you follow the tutorial on djangoproject.com and make use of the ORM as well

score 1 · Answer 2 · edited May 23 '17 at 12:32

You should use django templates and RequestContext. The very fast way to check it: in your app folder create following directory structure:

1.templates/myapp_name Use name of the app, not project name!

Create file my_template.html
in your view add import:

from django.shortcuts import render

add replace your return with

return render('myapp_name/my_template.html')

Read more about configure template directory: Django template Path

Read more about render: https://docs.djangoproject.com/en/1.7/intro/tutorial03/#a-shortcut-render

Note: It's better to use django forms instead of your way: https://docs.djangoproject.com/en/1.7/topics/forms/ and class based views instead of functions(they may looks complicated by believe me - they are really awesome: https://docs.djangoproject.com/en/1.7/topics/class-based-views/

Also try do not use hardcoded urls, use https://docs.djangoproject.com/en/1.7/topics/http/urls/#reverse-resolution-of-urls instead It will done all work for you!

django CSRF verification failed. Request aborted

2 Answers2