Safely store data from GET request - Django

Alright,

Let's say we need to create a website with Django where people can book a lodge for the weekends.

We add a search form on the homepage where people can fill in the check-in and check-out date to filter for all available lodges.

We use a generic Listview to create an overview of all the lodges and we overwrite the queryset to grab the search parameters from the GET request to create a filtered view.

views.py

class ListingsView(ListView):
    """Return all listings"""
    model = Listing
    template_name = 'orders/listings.html'

    def get_queryset(self):
        """
        Visitors can either visit the page with- or without a search query
        appended to the url. They can either use the form to perform a search
        or supply an url with the appropriate parameters.
        """
        # Get the start and end dates from the url
        check_in = self.request.GET.get('check_in')
        check_out = self.request.GET.get('check_out')

        queryset = Calendar.objects.filter(
            date__gte=check_in,
            date__lt=check_out,
            is_available=True
        )

        return queryset

Now this code is simplified for readability, but what I would like to do, is store the check-in and check-out date people are searching for.

Updated views.py

class ListingsView(ListView):
    """Return all listings"""
    model = Listing
    template_name = 'orders/listings.html'

    def get_queryset(self):
        """
        Visitors can either visit the page with- or without a search query
        appended to the url. They can either use the form to perform a search
        or supply an url with the appropriate parameters.
        """
        # Get the start and end dates from the url
        check_in = self.request.GET.get('check_in')
        check_out = self.request.GET.get('check_out')

        queryset = Calendar.objects.filter(
            date__gte=check_in,
            date__lt=check_out,
            is_available=True
        )

        Statistics.objects.create(
            check_in=check_in,
            check_out=check_out
        )

        return queryset

We created a "Statistics" model to store all dates people are looking for.

We essentially add data to a model by using a GET request and I'm wondering if this is the right way of doing things? Aren't we creating any vulnerabilities?

The search form uses hidden text inputs, so there's always the possibility of not knowing what data is coming in. Is cleaning or checking the datatype from these input enough, or will this always be in string format?

Any ideas?

Greetz,

Back to Top