Delete data without Django Form

Question

I wondering what best practices are with regards to deleting something in the database.

When a user wants to delete a ticket in my database, he clicks on a link that POSTs to the URL:

username/tickets/{ticket_id}

The POST contains nothing more session information and a CSRF token. As it stands right now, the id of the ticket that is actually deleted is captured from the url. Is this okay? It's typical to handle POSTs in Django using forms. Should I make a form for deleting tickets and then include the ticket_id in the POST body even though there is almost no input sanitation required? Is what I am doing now considered a hack?

Thank you Nick

Answer 1

HYour question goes beyond Django in particular and my guess is this is simply a matter of best practices and security on the web (regardless of framework or language used).

What you are doing is basically correct (and sane!), given that you take the below writing into consideration.

First, the handling of the data from the client to your server-side app:

• Session protection: Protect these POST reachable URLs via session tokens (Is the user logged in or not? Are they known to your app?)
• CSRF protection: Make use of CSRF tokens to protect against cross site scripting attacks
• Ownership checks: Is the ticket owned by the user deleting it?
• HTTP Method checking: Limit the audience for these URLs to POST only (no GET, PATCH, ...).

Then, regarding input sanitation. This can be dealt with on at least two levels:

• Type checking: While fragile, your View code should check (or try to convert) what kind of data came in (integers, strings, ...) and see if this is what was expected
• SQL Parameter binding: The code that queries your database should construct your queries using parameter binding, so no SQL injections can happen (assuming you are using an SQL database)

If you have got all that setup, I think you have a solid base.