0

I am trying to setup an API using Django. In my views.py, I have this endpoint:

@api_view()
def update_label(request):
    user_id = request.query_params['user_id']
    date = datetime.strptime(request.query_params['date'], '%Y-%m-%dT%H:%M:%S.%f')
    label_name = request.query_params['label_name']
    value = request.query_params['value']
    value = eval(value)
    db_user_ctrl.update_label(date, user_id, label_name, value)
    return Response({'status': 'SUCCESS'})

It updates some label in the database for some user. Multiple labels can be updated from this endpoint, some associate value with an integer, some associate value with a small dictionary e.g. {'item1':1,'item2':-1}. On the javascript side I use JSON.stringify(value) to format the value before sending it via a GET request. On the Django part, I can see the proper parameters have been recieved through the debugging interface. However I have the following error:

invalid literal for int() with base 10: '{"item1":-1}'

Associated with this line in my code:

value = request.query_params['value']

What is happening here? Why is he trying to casting the string into an integer?

EDIT 1:

Some more info on the stack trace:

.../venv/lib/python3.4/site-packages/django/core/handlers/base.py in get_response
.../venv/lib/python3.4/site-packages/django/core/handlers/base.py in get_response
.../venv/lib/python3.4/site-packages/django/views/decorators/csrf.py in wrapped_view
.../venv/lib/python3.4/site-packages/django/views/generic/base.py in view
.../venv/lib/python3.4/site-packages/rest_framework/views.py in dispatch
.../venv/lib/python3.4/site-packages/rest_framework/views.py in dispatch
.../venv/lib/python3.4/site-packages/rest_framework/decorators.py in handler
.../webapp/api/views.py in update_label
    value = request.query_params['value']
Improve this question
4
  • 3
    Please post the full stack trace, if you can. Because my first guess would have been that the problem is actually eval(value). Which you should not do, by the way, because you have a remote code execution problem right there. Commented Jul 8, 2016 at 10:50
  • 4
    Not sure why you're using eval here at all. Not only is it unnecessary, but seems a particularly bad idea to call it on unvalidated user input. Commented Jul 8, 2016 at 10:50
  • I use eval to transform a string into a python object, maybe there are safer ways to do this but I dont think this is where the problem is. I tried to comment the eval line, and got the same error. The query params should be interpreted as strings, and all the other parameters are ! For some reasons django tries to cast this one into an int. Commented Jul 8, 2016 at 12:39
  • That's not the stack trace, that's a list of lines. Please show the full thing. Commented Jul 8, 2016 at 13:44

2 Answers 2

Reset to default
1

Can you try

import json
json.loads(<query string value>)
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

The issue was quite sneaky, it was due to Gunicorn caching some files. In the old versions of views.py, I had value = int(request.query_params['value']). When I updated the code Gunicorn was still answering using the outdated cached files, hence the failure to cast a string into an int. I restarted Gunicorn and it's working now.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.