Heads up! To view this whole video, sign in with your Courses Plus account or enroll in your free 7-day trial. Sign In Enroll
Preview
Start a free Courses trial
to watch this video
We can control how each field is cleaned by overriding a special method on our form class.
Fields still have validators, which we'll talk about in the next video, so you can't, for example, make an EmailField
accept non-valid email addresses by overriding the clean_fieldname
method for that field. Cleaning a field is for additional verification of the submitted data.
So our form is pretty much done.
0:00
So I think it would be a good idea to
add a honeypot field to catch bots.
0:01
There are packages out
there to handle this,
0:06
but I think that we can do it on our own.
0:07
Django gives us three types of
special validation on forms.
0:09
We can validate the form as a whole.
0:13
We use this if we need to validate two or
more fields in relation to each other,
0:16
like making sure that someone
gives us either a phone number,
0:20
an email address or both.
0:23
We can validate individual fields
with custom cleaning methods.
0:26
This is for slightly more complicated
things than our next approach, but
0:29
this is where we're going to start.
0:33
And finally, we can use Django's
built-in validators, or create our own.
0:35
Validators are functions
that take a value and
0:40
return a specific error
if the value is wrong.
0:42
We'll talk more about
these in the next video.
0:45
You'll encounter field cleaning
methods pretty often in the wild.
0:47
So, I want to start there.
0:50
Let's go make our honey pot and
make sure that's empty.
0:52
So, we have a pretty cool form and
view combo, right now.
0:55
Our view shows a form,
they fill it in, we get an e-mail,
1:00
they get a message saying thank you,
and everything just works really well.
1:04
So that's great.
1:09
But our form right now is maybe
a little bit prone to abuse?
1:10
Or even less abuse, more just misuse.
1:16
We don't want to have spiders, bots
coming along, filling out our form and
1:20
just sending us tons of junk submission,
1:25
especially ones that are comment
bots like you find on blogs.
1:27
So, we need to prevent that.
1:33
And one of the cool ways, and fairly easy
ways, to prevent that is you provide
1:34
a hidden input in an invisible field
that normally is called a honey pot.
1:38
And if anythings in that honey pot
then your like eh your probably a bot.
1:43
I'm not actually gonna submit your thing.
1:47
And we could do that in our view.
1:50
We could add a field and then check to
make sure that the field was empty.
1:52
But that's a bad idea,
because we have to remember to do it.
1:55
It makes more sense to do it in our form,
and just have our form do it for us.
1:58
So let's add a new field
that we'll call honeypot.
2:03
And you can call this pooh bear, or
bees, or whatever you wanna call it.
2:07
And we're gonna make this a CharField,
this doesn't really matter too much.
2:12
And we're gonna say required=False,
for now.
2:17
We're gonna say required=False for now,
2:21
just because we want
the field to be blankable.
2:23
We don't want anybody to have
to actually fill anything in.
2:27
And then we're gonna
specify a widget on it.
2:29
And widget is gonna be forms.hiddenInput.
2:33
And the label which is the text,
if you look here this one says name.
2:39
By default it just takes this and
capitalizes the first letter.
2:45
But we want to specify
a custom label on this so
2:49
that humans if they ever see
it know what to do with it.
2:51
And we'll just say leave empty.
2:54
All right.
2:57
So there we go.
Let's go look at our form, and
2:58
we don't see leave empty.
3:03
But if we inspect it,
and we look over here,
3:05
then now there is this new hidden
field here called honeypot.
3:11
It doesn't print a label
because it's hidden.
3:14
If were to change something.
3:18
If we were to change this somehow so
3:19
it wasn't hidden then
that input would show up.
3:22
We don't want that input to show up
though we want it to stay hidden.
3:25
So, having this hidden honeypot field
doesn't actually make it to where our form
3:28
will fail validation if
the honeypot's filled out.
3:33
We could go and submit this and
say bot@example.com and
3:38
[SOUND] and then let's inspect.
3:45
We get into some browser trickery here,
and, I'm gonna actually edit this.
3:49
I'm gonna add a new one, called value,
and it's gonna be filled with bees.
3:56
And so now if I submit this
it still goes through.
4:02
It still says thanks for
your submission, or suggestion, sorry.
4:05
So, just having the honey
pot didn't make us safer.
4:09
This is kinda long,
I'm gonna break this down.
4:14
Sorry, okay.
4:26
I'm gonna stop messing with that.
4:27
So, how do we clean this up?
4:29
How do we handle that?
4:31
Well, we can override the cleaning
method for this one individual field.
4:32
So, we can do def clean_honeypot and
this will be the method that's called.
4:36
When django does the is valid, it
basically runs through every single field
4:43
It looks for a clean, and
then whatever the field's name is,
4:48
and runs that function,
if it exists, that method.
4:52
And if it doesn't, it has a built in way
of making sure, like, that a CharField,
4:55
that's not left as required false,
actually has something in it.
4:59
That an email field is actually an email.
5:03
Things like that.
5:05
So, in this case, it'll look for
this clean honey pot.
5:07
And since it now exists, it will run it.
5:09
So, what we wanna do is we wanna say that
5:12
honeypot equals
self.cleaned_data honey pot.
5:15
Because we wanna ge
the data that's in there.
5:21
And if there's any len to honeypot,
5:24
if there's anything at all in there,
then we want to raise a validation error.
5:26
And we're gonna raise
forms.ValidationError and
5:31
we're gonna say,
honeypot should be left empty.
5:35
Bad bot!
5:40
Cuz it's probably a bot.
5:43
And then no matter what,
we're going to return honeypot.
5:45
We have to send back the data.
5:48
Or really, we're sending back the form
itself, but we definitely want, or
5:52
the field itself, but
we have to send all that back.
5:55
Okay, cool.
5:58
So now, let's try this again.
5:59
We'll put in Bot, bot@example.com.
6:02
Put in some gobbledygook.
6:05
And then, I'm going to inspect my form,
find my honeypot, edit.
6:09
Oops.
6:16
Add an attribute,
value equals some binary.
6:21
All right, cool, and i'm gonna submit it.
6:27
Aha look at that.
6:30
Hidden, oops, hidden field honey pot.
6:31
Honey pot should be left empty, bad bot.
6:33
And our stuff is still filled in.
6:35
It didn't create a new email.
6:37
If we were to look in here
in our suggestions folder.
6:39
It hasn't refreshed.
6:42
Woop.
6:46
Okay.
So
6:47
we have two cuz I submitted one that says
Kenneth and I submitted one that says Bot.
6:47
We don't have a third.
6:50
So that's the way that we can handle
cleaning just one single field.
6:51
You can write a clean field method for
any field in your form.
6:57
Like I said at the beginning of the video,
7:01
if you need to clean more than one field,
and
7:03
their validation depends on each other,
you'll want to clean the entire form.
7:04
We'll do that together in a later video.
7:08
Now though,
7:11
let's see how we can do this a little
bit differently with a custom validator.
7:12
You need to sign up for Treehouse in order to download course files.
Sign up