06-Flask表单处理与数据验证深度解析
·
Flask表单处理与数据验证深度解析
一、概述
表单是Web应用与用户交互的核心组件,Flask通过Flask-WTF扩展提供了强大的表单处理能力。本文将深入解析表单类定义、字段类型、验证器、CSRF保护、文件上传以及自定义验证机制,帮助开发者构建安全、友好的表单系统。
二、Flask-WTF配置与基础
2.1 核心配置
from flask import Flask
from flask_wtf import FlaskForm
from wtforms import StringField, IntegerField, BooleanField, SelectField
from wtforms.validators import DataRequired, Email, Length
app = Flask(__name__)
# Flask-WTF核心配置
app.config['WTF_CSRF_ENABLED'] = True # 启用CSRF保护(默认True)
app.config['WTF_CSRF_SECRET_KEY'] = 'your-csrf-secret-key' # CSRF令牌密钥
app.config['WTF_CSRF_TIME_LIMIT'] = 3600 # CSRF令牌有效期(秒),None表示永不过期
app.config['WTF_CSRF_SSL_STRICT'] = True # 是否严格检查HTTPS
app.config['WTF_I18N_ENABLED'] = True # 启用国际化支持
app.config['SECRET_KEY'] = 'your-secret-key' # Flask密钥(必需)
2.2 表单基类
from flask_wtf import FlaskForm
from wtforms import Form
# FlaskForm vs Form
# FlaskForm: 提供CSRF保护,与Flask深度集成
# Form: WTForms原生表单类,无CSRF保护
class BaseForm(FlaskForm):
"""自定义表单基类"""
class Meta:
# 字段渲染配置
locales = ('zh_CN', 'en_US') # 语言环境
csrf = True # 启用CSRF
csrf_class = 'flask_wtf.csrf.CSRF' # CSRF实现类
csrf_context = None # CSRF上下文
def validate_on_submit(self):
"""检查是否为POST请求且验证通过"""
from flask import request
return request.method == 'POST' and self.validate()
def get_errors(self):
"""获取所有错误信息"""
errors = {}
for field_name, field in self._fields.items():
if field.errors:
errors[field_name] = field.errors
return errors
def populate_obj(self, obj):
"""将表单数据填充到对象"""
for name, field in self._fields.items():
if name != 'csrf_token': # 排除CSRF令牌
field.populate_obj(obj, name)
三、字段类型详解
3.1 基本字段
from wtforms import (
StringField, IntegerField, FloatField, DecimalField,
BooleanField, DateField, DateTimeField, TimeField,
EmailField, PasswordField, TextAreaField, HiddenField,
FileField, MultipleFileField, ColorField, SearchField,
TelField, URLField, RangeField
)
from wtforms.validators import DataRequired, Length, NumberRange
class BasicFieldsForm(FlaskForm):
"""基本字段演示"""
# 文本字段
username = StringField(
'用户名',
validators=[DataRequired(message='用户名不能为空'), Length(min=3, max=20)],
description='请输入3-20个字符的用户名',
default='',
render_kw={
'class': 'form-control',
'placeholder': '请输入用户名',
'autocomplete': 'off'
}
)
# 密码字段
password = PasswordField(
'密码',
validators=[DataRequired(), Length(min=6, max=128)],
render_kw={'class': 'form-control', 'placeholder': '请输入密码'}
)
# 邮箱字段(HTML5 email类型)
email = EmailField(
'邮箱',
validators=[DataRequired(), Email(message='请输入有效的邮箱地址')],
render_kw={'class': 'form-control', 'type': 'email'}
)
# 文本区域
bio = TextAreaField(
'个人简介',
validators=[Length(max=500)],
render_kw={'class': 'form-control', 'rows': 5}
)
# 整数字段
age = IntegerField(
'年龄',
validators=[NumberRange(min=0, max=150, message='年龄必须在0-150之间')],
render_kw={'class': 'form-control', 'min': 0, 'max': 150}
)
# 浮点数字段
price = FloatField(
'价格',
validators=[NumberRange(min=0)],
render_kw={'class': 'form-control', 'step': '0.01'}
)
# 定点数字段(精确计算)
amount = DecimalField(
'金额',
validators=[NumberRange(min=0)],
places=2, # 小数位数
rounding=None, # 舍入方式
render_kw={'class': 'form-control'}
)
# 布尔字段
remember = BooleanField(
'记住我',
default=False,
render_kw={'class': 'form-check-input'}
)
# 同意条款
agree = BooleanField(
'同意服务条款',
validators=[DataRequired(message='必须同意服务条款')],
render_kw={'class': 'form-check-input'}
)
# 日期字段
birthday = DateField(
'出生日期',
format='%Y-%m-%d', # 日期格式
render_kw={'class': 'form-control', 'type': 'date'}
)
# 日期时间字段
event_time = DateTimeField(
'事件时间',
format='%Y-%m-%d %H:%M:%S',
render_kw={'class': 'form-control', 'type': 'datetime-local'}
)
# 时间字段
start_time = TimeField(
'开始时间',
format='%H:%M',
render_kw={'class': 'form-control', 'type': 'time'}
)
# 隐藏字段
user_id = HiddenField(
default='',
render_kw={'class': 'hidden-field'}
)
# URL字段
website = URLField(
'个人网站',
validators=[],
render_kw={'class': 'form-control', 'type': 'url', 'placeholder': 'https://'}
)
# 电话字段
phone = TelField(
'电话',
render_kw={'class': 'form-control', 'type': 'tel'}
)
# 搜索字段
search = SearchField(
'搜索',
render_kw={'class': 'form-control', 'type': 'search'}
)
# 颜色字段
theme_color = ColorField(
'主题颜色',
default='#3498db',
render_kw={'class': 'form-control', 'type': 'color'}
)
# 范围字段
rating = RangeField(
'评分',
default=5,
render_kw={'class': 'form-control-range', 'type': 'range', 'min': 1, 'max': 10}
)
3.2 选择字段
from wtforms import SelectField, SelectMultipleField, RadioField
class SelectFieldsForm(FlaskForm):
"""选择字段演示"""
# 下拉选择
category = SelectField(
'分类',
choices=[
('', '-- 请选择 --'), # 默认选项
('tech', '技术'),
('life', '生活'),
('work', '工作'),
],
default='',
validators=[DataRequired(message='请选择分类')],
render_kw={'class': 'form-control'}
)
# 动态选项
def __init__(self, *args, **kwargs):
super().__init__(*args, **kwargs)
# 从数据库加载选项
self.category.choices = [('', '-- 请选择 --')] + [
(c.id, c.name) for c in Category.query.all()
]
# 多选下拉
tags = SelectMultipleField(
'标签',
choices=[
('python', 'Python'),
('flask', 'Flask'),
('django', 'Django'),
('fastapi', 'FastAPI'),
],
render_kw={'class': 'form-control', 'size': 5}
)
# 单选按钮组
gender = RadioField(
'性别',
choices=[
('male', '男'),
('female', '女'),
('other', '其他'),
],
default='male',
render_kw={'class': 'form-check-input'}
)
# 布尔单选
is_public = RadioField(
'公开状态',
choices=[
(True, '公开'),
(False, '私密'),
],
coerce=lambda x: x.lower() == 'true', # 类型转换
default=True,
render_kw={'class': 'form-check-input'}
)
# 分组选择
country = SelectField(
'国家/地区',
choices=[
('', '-- 请选择 --'),
('CN', '中国'),
('US', '美国'),
('UK', '英国'),
('JP', '日本'),
('KR', '韩国'),
],
render_kw={'class': 'form-control'}
)
# 级联选择(需要JavaScript配合)
province = SelectField(
'省份',
choices=[('', '-- 请选择 --')],
render_kw={'class': 'form-control'}
)
city = SelectField(
'城市',
choices=[('', '-- 请先选择省份 --')],
render_kw={'class': 'form-control'}
)
3.3 列表字段与字段列表
from wtforms import FieldList, FormField
class PhoneForm(FlaskForm):
"""电话表单(用于嵌套)"""
label = StringField('标签', validators=[DataRequired()])
number = TelField('号码', validators=[DataRequired()])
class Meta:
csrf = False # 嵌套表单禁用CSRF
class AddressForm(FlaskForm):
"""地址表单(用于嵌套)"""
province = StringField('省份', validators=[DataRequired()])
city = StringField('城市', validators=[DataRequired()])
address = StringField('详细地址', validators=[DataRequired()])
postal_code = StringField('邮编')
class Meta:
csrf = False
class FieldListForm(FlaskForm):
"""字段列表演示"""
# 字符串列表
tags = FieldList(
StringField('标签', validators=[Length(max=50)]),
min_entries=1, # 最少条目数
max_entries=10, # 最多条目数
label='标签列表'
)
# 邮箱列表
emails = FieldList(
EmailField('邮箱', validators=[Email()]),
min_entries=1,
max_entries=5,
label='邮箱列表'
)
# 嵌套表单列表
phones = FieldList(
FormField(PhoneForm),
min_entries=1,
max_entries=5,
label='电话列表'
)
# 单个嵌套表单
address = FormField(AddressForm, label='地址信息')
def validate_tags(self, field):
"""自定义验证:标签不能重复"""
values = [f.data for f in field.entries if f.data]
if len(values) != len(set(values)):
raise ValueError('标签不能重复')
3.4 文件上传字段
from flask_wtf.file import FileField, FileRequired, FileAllowed, FileSize
class FileUploadForm(FlaskForm):
"""文件上传表单"""
# 单文件上传
avatar = FileField(
'头像',
validators=[
FileRequired(message='请选择文件'),
FileAllowed(['jpg', 'jpeg', 'png', 'gif'], message='只允许上传图片文件'),
FileSize(max_size=2 * 1024 * 1024, message='文件大小不能超过2MB') # 2MB
],
render_kw={'class': 'form-control-file', 'accept': 'image/*'}
)
# 多文件上传
documents = FileField(
'文档',
validators=[
FileAllowed(['pdf', 'doc', 'docx', 'xls', 'xlsx'], message='只允许上传文档文件'),
],
render_kw={'class': 'form-control-file', 'accept': '.pdf,.doc,.docx,.xls,.xlsx', 'multiple': True}
)
# 图片上传(带尺寸验证)
banner = FileField(
'横幅图片',
validators=[
FileRequired(),
FileAllowed(['jpg', 'jpeg', 'png']),
],
render_kw={'class': 'form-control-file', 'accept': 'image/*'}
)
# 文件上传处理
@app.route('/upload', methods=['GET', 'POST'])
def upload():
form = FileUploadForm()
if form.validate_on_submit():
# 获取上传的文件
file = form.avatar.data
# 文件信息
filename = file.filename
content_type = file.content_type
file_size = len(file.read())
file.seek(0) # 重置指针
# 安全保存文件
from werkzeug.utils import secure_filename
import os
import uuid
# 生成安全文件名
ext = os.path.splitext(filename)[1]
safe_filename = f"{uuid.uuid4().hex}{ext}"
# 保存路径
upload_dir = os.path.join(app.config['UPLOAD_FOLDER'], 'avatars')
os.makedirs(upload_dir, exist_ok=True)
file_path = os.path.join(upload_dir, safe_filename)
# 保存文件
file.save(file_path)
return {'message': '上传成功', 'filename': safe_filename}
return {'errors': form.get_errors()}, 400
3.5 字段类型架构图
四、验证器详解
4.1 内置验证器
from wtforms.validators import (
DataRequired, InputRequired, Optional,
Length, NumberRange, Email, EqualTo,
URL, UUID, Regexp, IPAddress, MacAddress,
AnyOf, NoneOf, ValidationError, StopValidation
)
class ValidatorsForm(FlaskForm):
"""验证器演示"""
# DataRequired: 必填验证(空白值也视为空)
required_field = StringField(
'必填字段',
validators=[DataRequired(message='此字段为必填项')],
render_kw={'class': 'form-control'}
)
# InputRequired: 必填验证(只检查是否有输入,不检查空白)
input_field = StringField(
'输入必填',
validators=[InputRequired(message='请输入内容')],
render_kw={'class': 'form-control'}
)
# Optional: 可选字段(空值跳过其他验证)
optional_field = StringField(
'可选字段',
validators=[Optional(), Length(max=100)],
render_kw={'class': 'form-control'}
)
# Length: 长度验证
username = StringField(
'用户名',
validators=[
DataRequired(),
Length(min=3, max=20, message='用户名长度必须在%(min)d到%(max)d个字符之间')
],
render_kw={'class': 'form-control'}
)
# NumberRange: 数值范围验证
age = IntegerField(
'年龄',
validators=[
DataRequired(),
NumberRange(min=0, max=150, message='年龄必须在%(min)d到%(max)d之间')
],
render_kw={'class': 'form-control'}
)
# Email: 邮箱格式验证
email = StringField(
'邮箱',
validators=[
DataRequired(),
Email(message='请输入有效的邮箱地址')
],
render_kw={'class': 'form-control'}
)
# EqualTo: 相等验证
password = PasswordField(
'密码',
validators=[DataRequired(), Length(min=6)],
render_kw={'class': 'form-control'}
)
password_confirm = PasswordField(
'确认密码',
validators=[
DataRequired(),
EqualTo('password', message='两次输入的密码不一致')
],
render_kw={'class': 'form-control'}
)
# URL: URL格式验证
website = StringField(
'网站',
validators=[
Optional(),
URL(message='请输入有效的URL', require_tld=True)
],
render_kw={'class': 'form-control'}
)
# UUID: UUID格式验证
uuid_field = StringField(
'UUID',
validators=[UUID(message='请输入有效的UUID')],
render_kw={'class': 'form-control'}
)
# Regexp: 正则表达式验证
phone = StringField(
'手机号',
validators=[
DataRequired(),
Regexp(
r'^1[3-9]\d{9}$',
message='请输入有效的手机号码'
)
],
render_kw={'class': 'form-control'}
)
# IPAddress: IP地址验证
ip_address = StringField(
'IP地址',
validators=[
Optional(),
IPAddress(ipv4=True, ipv6=True, message='请输入有效的IP地址')
],
render_kw={'class': 'form-control'}
)
# MacAddress: MAC地址验证
mac_address = StringField(
'MAC地址',
validators=[MacAddress(message='请输入有效的MAC地址')],
render_kw={'class': 'form-control'}
)
# AnyOf: 值必须在指定列表中
status = StringField(
'状态',
validators=[
DataRequired(),
AnyOf(['active', 'inactive', 'pending'], message='无效的状态值')
],
render_kw={'class': 'form-control'}
)
# NoneOf: 值不能在指定列表中
reserved_name = StringField(
'用户名',
validators=[
DataRequired(),
NoneOf(['admin', 'root', 'system'], message='此用户名已被保留')
],
render_kw={'class': 'form-control'}
)
4.2 自定义验证器
from wtforms.validators import ValidationError
import re
# 函数式验证器
def validate_username(form, field):
"""用户名验证器"""
username = field.data
# 检查是否包含特殊字符
if not re.match(r'^[a-zA-Z0-9_]+$', username):
raise ValidationError('用户名只能包含字母、数字和下划线')
# 检查是否以数字开头
if username[0].isdigit():
raise ValidationError('用户名不能以数字开头')
# 检查数据库唯一性
from models import User
user = User.query.filter_by(username=username).first()
if user and (not hasattr(form, 'user_id') or user.id != form.user_id.data):
raise ValidationError('该用户名已被使用')
# 类式验证器
class UniqueValidator:
"""唯一性验证器"""
def __init__(self, model, field, message='该值已存在'):
self.model = model
self.field = field
self.message = message
def __call__(self, form, field):
# 排除当前记录
exclude_id = getattr(form, 'exclude_id', None)
query = self.model.query.filter(self.field == field.data)
if exclude_id:
query = query.filter(self.model.id != exclude_id)
if query.first():
raise ValidationError(self.message)
class PasswordStrength:
"""密码强度验证器"""
def __init__(self, min_length=8, require_upper=True, require_lower=True,
require_digit=True, require_special=False, message=None):
self.min_length = min_length
self.require_upper = require_upper
self.require_lower = require_lower
self.require_digit = require_digit
self.require_special = require_special
self.message = message
def __call__(self, form, field):
password = field.data or ''
errors = []
if len(password) < self.min_length:
errors.append(f'密码长度至少{self.min_length}位')
if self.require_upper and not re.search(r'[A-Z]', password):
errors.append('密码必须包含大写字母')
if self.require_lower and not re.search(r'[a-z]', password):
errors.append('密码必须包含小写字母')
if self.require_digit and not re.search(r'\d', password):
errors.append('密码必须包含数字')
if self.require_special and not re.search(r'[!@#$%^&*(),.?":{}|<>]', password):
errors.append('密码必须包含特殊字符')
if errors:
raise ValidationError(self.message or '; '.join(errors))
class DateRange:
"""日期范围验证器"""
def __init__(self, min_date=None, max_date=None, min_field=None, max_field=None,
message=None):
self.min_date = min_date
self.max_date = max_date
self.min_field = min_field
self.max_field = max_field
self.message = message
def __call__(self, form, field):
from datetime import datetime
date = field.data
if not date:
return
# 检查最小日期
min_date = self.min_date
if self.min_field:
min_date = getattr(form, self.min_field).data
if min_date and date < min_date:
raise ValidationError(self.message or '日期不能早于最小日期')
# 检查最大日期
max_date = self.max_date
if self.max_field:
max_date = getattr(form, self.max_field).data
if max_date and date > max_date:
raise ValidationError(self.message or '日期不能晚于最大日期')
class FileExtension:
"""文件扩展名验证器"""
def __init__(self, allowed_extensions, message=None):
self.allowed_extensions = [ext.lower() for ext in allowed_extensions]
self.message = message or f'只允许以下文件类型: {", ".join(self.allowed_extensions)}'
def __call__(self, form, field):
if not field.data:
return
filename = field.data.filename
ext = filename.rsplit('.', 1)[-1].lower() if '.' in filename else ''
if ext not in self.allowed_extensions:
raise ValidationError(self.message)
# 使用自定义验证器
class RegistrationForm(FlaskForm):
"""注册表单(使用自定义验证器)"""
username = StringField(
'用户名',
validators=[
DataRequired(),
Length(min=3, max=20),
validate_username, # 函数式验证器
UniqueValidator(User, User.username, '该用户名已被注册') # 类式验证器
],
render_kw={'class': 'form-control'}
)
email = StringField(
'邮箱',
validators=[
DataRequired(),
Email(),
UniqueValidator(User, User.email, '该邮箱已被注册')
],
render_kw={'class': 'form-control'}
)
password = PasswordField(
'密码',
validators=[
DataRequired(),
PasswordStrength(
min_length=8,
require_upper=True,
require_lower=True,
require_digit=True,
require_special=True
)
],
render_kw={'class': 'form-control'}
)
start_date = DateField('开始日期', validators=[DataRequired()])
end_date = DateField(
'结束日期',
validators=[
DataRequired(),
DateRange(min_field='start_date', message='结束日期不能早于开始日期')
]
)
4.3 表单级验证
class ComplexForm(FlaskForm):
"""复杂表单验证"""
password = PasswordField('密码', validators=[DataRequired()])
password_confirm = PasswordField('确认密码', validators=[DataRequired()])
field1 = StringField('字段1')
field2 = StringField('字段2')
# 条件必填字段
contact_method = SelectField(
'联系方式',
choices=[('email', '邮箱'), ('phone', '电话'), ('both', '两者')]
)
email = StringField('邮箱')
phone = StringField('电话')
def validate(self, extra_validators=None):
"""表单级验证"""
# 先执行字段级验证
if not super().validate(extra_validators):
return False
# 密码一致性验证
if self.password.data != self.password_confirm.data:
self.password_confirm.errors.append('两次输入的密码不一致')
return False
# 条件必填验证
contact = self.contact_method.data
if contact in ('email', 'both') and not self.email.data:
self.email.errors.append('请填写邮箱')
return False
if contact in ('phone', 'both') and not self.phone.data:
self.phone.errors.append('请填写电话')
return False
# 字段组合唯一性验证
if self.field1.data and self.field2.data:
exists = Model.query.filter_by(
field1=self.field1.data,
field2=self.field2.data
).first()
if exists:
self.field1.errors.append('该组合已存在')
return False
return True
def validate_password(self, field):
"""字段级自定义验证方法"""
# 命名规范: validate_<field_name>
password = field.data
# 检查是否包含用户名
if self.username.data and self.username.data.lower() in password.lower():
raise ValidationError('密码不能包含用户名')
def validate_email(self, field):
"""邮箱验证"""
if field.data:
# 检查邮箱域名是否在黑名单中
domain = field.data.split('@')[-1]
blacklist = ['tempmail.com', 'throwaway.com']
if domain in blacklist:
raise ValidationError('不支持临时邮箱')
4.4 验证器架构图
五、CSRF保护机制
5.1 CSRF工作原理
from flask_wtf.csrf import CSRFProtect, CSRFError, generate_csrf, validate_csrf
# 初始化CSRF保护
csrf = CSRFProtect(app)
# 或使用工厂模式
csrf = CSRFProtect()
csrf.init_app(app)
# CSRF令牌生成与验证流程
class CSRFMechanism:
"""CSRF机制详解"""
@staticmethod
def generate_token():
"""生成CSRF令牌"""
# 令牌基于session和SECRET_KEY生成
token = generate_csrf(
secret_key=app.config['SECRET_KEY'],
token_key='csrf_token', # session中的键名
time_limit=3600 # 有效期
)
return token
@staticmethod
def validate_token(token):
"""验证CSRF令牌"""
try:
validate_csrf(
token,
secret_key=app.config['SECRET_KEY'],
time_limit=3600
)
return True
except CSRFError:
return False
@staticmethod
def get_token_from_request():
"""从请求中获取CSRF令牌"""
from flask import request
# 检查顺序
# 1. 请求体中的csrf_token字段
# 2. X-CSRFToken请求头
# 3. X-CSRF-Token请求头
token = request.form.get('csrf_token')
if not token:
token = request.headers.get('X-CSRFToken')
if not token:
token = request.headers.get('X-CSRF-Token')
return token
# CSRF错误处理
@app.errorhandler(CSRFError)
def handle_csrf_error(e):
"""CSRF错误处理"""
return {
'error': 'CSRF验证失败',
'message': '请刷新页面后重试'
}, 400
5.2 模板中的CSRF令牌
<!-- 表单中包含CSRF令牌 -->
<form method="POST" action="/submit">
<!-- 自动添加CSRF令牌(使用FlaskForm时自动包含) -->
{{ form.hidden_tag() }}
<!-- 或手动添加 -->
<input type="hidden" name="csrf_token" value="{{ csrf_token() }}">
<!-- 其他字段 -->
{{ form.username.label }}
{{ form.username(class="form-control") }}
<button type="submit">提交</button>
</form>
<!-- AJAX请求中的CSRF令牌 -->
<script>
// 在meta标签中存储CSRF令牌
<meta name="csrf-token" content="{{ csrf_token() }}">
// AJAX请求时添加CSRF头
fetch('/api/submit', {
method: 'POST',
headers: {
'Content-Type': 'application/json',
'X-CSRFToken': document.querySelector('meta[name="csrf-token"]').content
},
body: JSON.stringify(data)
});
</script>
5.3 CSRF豁免
from flask_wtf.csrf import csrf_exempt, csrf_protect
# 豁免特定视图函数
@app.route('/api/webhook', methods=['POST'])
@csrf_exempt
def webhook():
"""第三方回调接口(豁免CSRF)"""
return {'status': 'ok'}
# 豁免整个蓝图
api_bp = Blueprint('api', __name__, url_prefix='/api')
csrf.exempt(api_bp)
# 条件豁免
@app.route('/api/data', methods=['POST'])
def api_data():
"""条件豁免CSRF"""
# 检查API密钥认证
if request.headers.get('X-API-Key'):
# API密钥认证豁免CSRF
return process_data()
# 否则需要CSRF验证
return csrf_protect(process_data)()
# 自定义CSRF验证
class CustomCSRF:
"""自定义CSRF验证"""
def __init__(self, app=None):
self._exempt_views = set()
if app:
self.init_app(app)
def init_app(self, app):
app.before_request(self._protect)
def exempt(self, view):
"""豁免装饰器"""
self._exempt_views.add(view.__name__)
return view
def _protect(self):
"""保护检查"""
from flask import request, current_app
# 检查是否豁免
if request.endpoint in self._exempt_views:
return
# 只保护POST/PUT/DELETE/PATCH
if request.method not in ('POST', 'PUT', 'DELETE', 'PATCH'):
return
# 验证CSRF令牌
token = self._get_token()
if not self._validate_token(token):
from flask_wtf.csrf import CSRFError
raise CSRFError('CSRF token missing or invalid.')
def _get_token(self):
"""获取令牌"""
from flask import request
return request.form.get('csrf_token') or \
request.headers.get('X-CSRFToken')
def _validate_token(self, token):
"""验证令牌"""
from flask_wtf.csrf import validate_csrf
try:
validate_csrf(token)
return True
except:
return False
5.4 CSRF保护流程图
六、表单渲染与模板集成
6.1 基本渲染
<!-- templates/form.html -->
{% extends "base.html" %}
{% block content %}
<h2>{{ title }}</h2>
<form method="POST" action="" novalidate>
<!-- CSRF令牌 -->
{{ form.hidden_tag() }}
<!-- 方式1:手动渲染 -->
<div class="form-group">
<label for="username">{{ form.username.label.text }}</label>
{{ form.username(class="form-control", id="username", placeholder="请输入用户名") }}
{% if form.username.errors %}
<div class="invalid-feedback">
{% for error in form.username.errors %}
<span>{{ error }}</span>
{% endfor %}
</div>
{% endif %}
</div>
<!-- 方式2:使用label属性 -->
<div class="form-group">
{{ form.email.label(class="form-label") }}
{{ form.email(class="form-control" + (" is-invalid" if form.email.errors else "")) }}
{% if form.email.errors %}
<div class="invalid-feedback">
{{ form.email.errors[0] }}
</div>
{% endif %}
</div>
<!-- 方式3:循环渲染所有字段 -->
{% for field in form %}
{% if field.type != 'CSRFTokenField' %}
<div class="form-group">
{{ field.label(class="form-label") }}
{{ field(class="form-control") }}
{% if field.errors %}
<div class="invalid-feedback d-block">
{% for error in field.errors %}
<p class="mb-0">{{ error }}</p>
{% endfor %}
</div>
{% endif %}
{% if field.description %}
<small class="form-text text-muted">{{ field.description }}</small>
{% endif %}
</div>
{% endif %}
{% endfor %}
<button type="submit" class="btn btn-primary">提交</button>
</form>
{% endblock %}
6.2 自定义渲染宏
<!-- macros/form_macros.html -->
{% macro render_field(field, label_class='form-label', field_class='form-control', show_description=True) %}
<div class="form-group mb-3">
{{ field.label(class=label_class) }}
{% if field.type == 'BooleanField' %}
<div class="form-check">
{{ field(class='form-check-input') }}
{{ field.label(class='form-check-label') }}
</div>
{% elif field.type == 'SelectField' %}
{{ field(class=field_class) }}
{% elif field.type == 'TextAreaField' %}
{{ field(class=field_class, rows=field.rows|default(5)) }}
{% elif field.type == 'FileField' %}
{{ field(class='form-control-file') }}
{% elif field.type == 'RadioField' %}
{% for choice in field %}
<div class="form-check form-check-inline">
{{ choice(class='form-check-input') }}
{{ choice.label(class='form-check-label') }}
</div>
{% endfor %}
{% else %}
{{ field(class=field_class, **kwargs) }}
{% endif %}
{% if field.errors %}
<div class="invalid-feedback d-block">
{% for error in field.errors %}
<p class="mb-0 text-danger">{{ error }}</p>
{% endfor %}
</div>
{% endif %}
{% if show_description and field.description %}
<small class="form-text text-muted">{{ field.description }}</small>
{% endif %}
</div>
{% endmacro %}
{% macro render_form(form, action='', method='POST', submit_text='提交', cancel_url=None) %}
<form method="{{ method }}" action="{{ action }}" enctype="multipart/form-data" novalidate>
{{ form.hidden_tag() }}
{% for field in form %}
{% if field.type != 'CSRFTokenField' and field.type != 'SubmitField' %}
{{ render_field(field) }}
{% endif %}
{% endfor %}
<div class="form-group">
<button type="submit" class="btn btn-primary">{{ submit_text }}</button>
{% if cancel_url %}
<a href="{{ cancel_url }}" class="btn btn-secondary">取消</a>
{% endif %}
</div>
</form>
{% endmacro %}
{% macro render_field_with_value(field, value=None) %}
<div class="form-group">
{{ field.label(class='form-label') }}
{% if value %}
{{ field(class='form-control', value=value) }}
{% else %}
{{ field(class='form-control', value=field.data) }}
{% endif %}
{% if field.errors %}
<div class="invalid-feedback d-block">
{{ field.errors[0] }}
</div>
{% endif %}
</div>
{% endmacro %}
{% macro render_inline_form(form, submit_text='搜索') %}
<form class="form-inline" method="GET">
{% for field in form %}
{% if field.type != 'CSRFTokenField' and field.type != 'SubmitField' %}
<div class="form-group mr-2">
{{ field(class='form-control', placeholder=field.label.text) }}
</div>
{% endif %}
{% endfor %}
<button type="submit" class="btn btn-primary">{{ submit_text }}</button>
</form>
{% endmacro %}
6.3 使用宏渲染表单
<!-- templates/user_form.html -->
{% from "macros/form_macros.html" import render_form, render_field %}
{% extends "base.html" %}
{% block content %}
<h2>{{ '编辑用户' if user else '创建用户' }}</h2>
{{ render_form(
form,
action=url_for('user.create' if not user else 'user.edit', user_id=user.id if user else None),
submit_text='保存',
cancel_url=url_for('user.list')
) }}
<!-- 或单独渲染字段 -->
{{ render_field(form.username, placeholder='请输入用户名') }}
{{ render_field(form.email, type='email') }}
{{ render_field(form.bio, rows=10) }}
{% endblock %}
6.4 Bootstrap样式集成
from flask_bootstrap import Bootstrap5
app = Flask(__name__)
bootstrap = Bootstrap5(app)
# 模板中使用
<!-- templates/bootstrap_form.html -->
{% extends "bootstrap/base.html" %}
{% import "bootstrap/wtf.html" as wtf %}
{% block content %}
<div class="container">
<h2>用户注册</h2>
<!-- 快速渲染整个表单 -->
{{ wtf.quick_form(form, button_map={'submit': 'primary'}) }}
<!-- 或自定义渲染 -->
<form method="POST">
{{ form.hidden_tag() }}
{{ wtf.form_field(form.username) }}
{{ wtf.form_field(form.email) }}
{{ wtf.form_field(form.password) }}
<button type="submit" class="btn btn-primary">注册</button>
</form>
</div>
{% endblock %}
七、实战案例
7.1 完整注册表单
from flask import Flask, render_template, redirect, url_for, flash
from flask_wtf import FlaskForm
from wtforms import StringField, PasswordField, BooleanField, SubmitField
from wtforms.validators import DataRequired, Email, Length, EqualTo, ValidationError
from werkzeug.security import generate_password_hash
import re
app = Flask(__name__)
app.config['SECRET_KEY'] = 'your-secret-key'
class RegistrationForm(FlaskForm):
"""用户注册表单"""
username = StringField(
'用户名',
validators=[
DataRequired(message='用户名不能为空'),
Length(min=3, max=20, message='用户名长度必须在3-20个字符之间')
],
description='3-20个字符,只能包含字母、数字和下划线',
render_kw={
'class': 'form-control',
'placeholder': '请输入用户名',
'autofocus': True
}
)
email = StringField(
'邮箱',
validators=[
DataRequired(message='邮箱不能为空'),
Email(message='请输入有效的邮箱地址')
],
render_kw={
'class': 'form-control',
'type': 'email',
'placeholder': '请输入邮箱'
}
)
password = PasswordField(
'密码',
validators=[
DataRequired(message='密码不能为空'),
Length(min=8, max=128, message='密码长度必须在8-128个字符之间')
],
description='至少8个字符,建议包含大小写字母、数字和特殊字符',
render_kw={
'class': 'form-control',
'placeholder': '请输入密码'
}
)
password_confirm = PasswordField(
'确认密码',
validators=[
DataRequired(message='请确认密码'),
EqualTo('password', message='两次输入的密码不一致')
],
render_kw={
'class': 'form-control',
'placeholder': '请再次输入密码'
}
)
agree_terms = BooleanField(
'我已阅读并同意服务条款',
validators=[DataRequired(message='必须同意服务条款')],
render_kw={'class': 'form-check-input'}
)
submit = SubmitField('注册', render_kw={'class': 'btn btn-primary btn-block'})
def validate_username(self, field):
"""验证用户名格式"""
username = field.data
if not re.match(r'^[a-zA-Z][a-zA-Z0-9_]*$', username):
raise ValidationError('用户名必须以字母开头,只能包含字母、数字和下划线')
# 检查用户名是否已存在
from models import User
if User.query.filter_by(username=username).first():
raise ValidationError('该用户名已被注册')
def validate_email(self, field):
"""验证邮箱唯一性"""
from models import User
if User.query.filter_by(email=field.data).first():
raise ValidationError('该邮箱已被注册')
def validate_password(self, field):
"""验证密码强度"""
password = field.data
# 检查是否包含用户名
if self.username.data and self.username.data.lower() in password.lower():
raise ValidationError('密码不能包含用户名')
# 检查密码复杂度
has_upper = re.search(r'[A-Z]', password)
has_lower = re.search(r'[a-z]', password)
has_digit = re.search(r'\d', password)
if not (has_upper and has_lower and has_digit):
raise ValidationError('密码必须包含大写字母、小写字母和数字')
@app.route('/register', methods=['GET', 'POST'])
def register():
form = RegistrationForm()
if form.validate_on_submit():
# 创建用户
from models import User, db
user = User(
username=form.username.data,
email=form.email.data,
password_hash=generate_password_hash(form.password.data)
)
db.session.add(user)
db.session.commit()
flash('注册成功!请登录。', 'success')
return redirect(url_for('login'))
return render_template('register.html', form=form)
7.2 动态表单
from wtforms import FieldList, StringField, SelectField
from wtforms.validators import DataRequired
class DynamicForm(FlaskForm):
"""动态表单示例"""
# 动态标签列表
tags = FieldList(
StringField('标签', validators=[Length(max=50)]),
min_entries=1,
max_entries=10
)
# 动态问答列表
questions = FieldList(
StringField('问题', validators=[DataRequired()]),
min_entries=1,
max_entries=20
)
# 动态选择列表
options = FieldList(
StringField('选项', validators=[DataRequired()]),
min_entries=2,
max_entries=10
)
@app.route('/survey/create', methods=['GET', 'POST'])
def create_survey():
form = DynamicForm()
if request.method == 'POST':
# 动态添加字段
if 'add_tag' in request.form:
form.tags.append_entry()
return render_template('survey_form.html', form=form)
if 'add_question' in request.form:
form.questions.append_entry()
return render_template('survey_form.html', form=form)
if form.validate_on_submit():
# 保存数据
tags = [tag.data for tag in form.tags if tag.data]
questions = [q.data for q in form.questions if q.data]
# ... 保存到数据库
flash('问卷创建成功!', 'success')
return redirect(url_for('survey.list'))
return render_template('survey_form.html', form=form)
7.3 多步骤表单
from flask import session
class Step1Form(FlaskForm):
"""步骤1:基本信息"""
username = StringField('用户名', validators=[DataRequired()])
email = StringField('邮箱', validators=[DataRequired(), Email()])
next_step = SubmitField('下一步')
class Step2Form(FlaskForm):
"""步骤2:详细信息"""
name = StringField('姓名', validators=[DataRequired()])
phone = StringField('电话', validators=[DataRequired()])
previous_step = SubmitField('上一步')
next_step = SubmitField('下一步')
class Step3Form(FlaskForm):
"""步骤3:确认信息"""
address = TextAreaField('地址')
previous_step = SubmitField('上一步')
submit = SubmitField('完成注册')
@app.route('/register/step/<int:step>', methods=['GET', 'POST'])
def register_step(step):
"""多步骤注册"""
# 初始化session存储
if 'registration_data' not in session:
session['registration_data'] = {}
if step == 1:
form = Step1Form(data=session['registration_data'])
if form.validate_on_submit() and form.next_step.data:
session['registration_data'].update({
'username': form.username.data,
'email': form.email.data
})
return redirect(url_for('register_step', step=2))
elif step == 2:
form = Step2Form(data=session['registration_data'])
if form.validate_on_submit():
if form.previous_step.data:
return redirect(url_for('register_step', step=1))
if form.next_step.data:
session['registration_data'].update({
'name': form.name.data,
'phone': form.phone.data
})
return redirect(url_for('register_step', step=3))
elif step == 3:
form = Step3Form(data=session['registration_data'])
if form.validate_on_submit():
if form.previous_step.data:
return redirect(url_for('register_step', step=2))
if form.submit.data:
# 完成注册
data = session['registration_data']
data['address'] = form.address.data
# 创建用户
user = User(**data)
db.session.add(user)
db.session.commit()
# 清除session
session.pop('registration_data', None)
flash('注册成功!', 'success')
return redirect(url_for('login'))
else:
return redirect(url_for('register_step', step=1))
return render_template(f'register_step_{step}.html', form=form, step=step)
八、最佳实践
8.1 表单安全最佳实践
from flask_wtf.csrf import validate_csrf
from werkzeug.security import check_password_hash
class SecurityBestPractices:
"""表单安全最佳实践"""
@staticmethod
def sanitize_input():
"""输入净化"""
from markupsafe import escape
def sanitize_string(value):
if isinstance(value, str):
return escape(value).strip()
return value
return sanitize_string
@staticmethod
def rate_limit():
"""请求频率限制"""
from flask_limiter import Limiter
from flask_limiter.util import get_remote_address
limiter = Limiter(
app,
key_func=get_remote_address,
default_limits=["200 per day", "50 per hour"]
)
@app.route('/login', methods=['GET', 'POST'])
@limiter.limit("5 per minute")
def login():
form = LoginForm()
# ...
@staticmethod
def honeypot():
"""蜜罐字段防垃圾提交"""
class HoneypotForm(FlaskForm):
username = StringField('用户名', validators=[DataRequired()])
email = StringField('邮箱', validators=[Email()])
# 蜜罐字段(隐藏,正常用户不会填写)
website = StringField(
'',
render_kw={'style': 'display:none', 'tabindex': '-1', 'autocomplete': 'off'}
)
def validate_website(self, field):
if field.data: # 如果填写了蜜罐字段,可能是机器人
raise ValidationError('Invalid submission')
@staticmethod
def timestamp_validation():
"""时间戳验证防重放攻击"""
import time
class TimestampForm(FlaskForm):
timestamp = HiddenField()
def validate_timestamp(self, field):
try:
ts = int(field.data)
current = int(time.time())
# 验证时间戳在5分钟内
if abs(current - ts) > 300:
raise ValidationError('表单已过期,请刷新页面')
except ValueError:
raise ValidationError('无效的时间戳')
8.2 表单性能优化
class FormPerformance:
"""表单性能优化"""
@staticmethod
def lazy_choices():
"""延迟加载选项"""
class LazySelectForm(FlaskForm):
category = SelectField('分类', coerce=int)
def __init__(self, *args, **kwargs):
super().__init__(*args, **kwargs)
# 在实例化时才加载选项
self.category.choices = [
(c.id, c.name) for c in Category.query.all()
]
@staticmethod
def cached_choices():
"""缓存选项"""
from flask_caching import cache
@cache.cached(timeout=3600, key_prefix='category_choices')
def get_category_choices():
return [(c.id, c.name) for c in Category.query.all()]
class CachedSelectForm(FlaskForm):
category = SelectField('分类', coerce=int)
def __init__(self, *args, **kwargs):
super().__init__(*args, **kwargs)
self.category.choices = get_category_choices()
@staticmethod
def bulk_validation():
"""批量验证优化"""
class BulkForm(FlaskForm):
emails = FieldList(StringField('邮箱'))
def validate_emails(self, field):
# 批量验证邮箱唯一性
emails = [f.data for f in field.entries if f.data]
existing = set(
User.query.filter(User.email.in_(emails))
.with_entities(User.email)
.all()
)
for entry in field.entries:
if entry.data in existing:
entry.errors.append('该邮箱已被使用')
AtomGit 是由开放原子开源基金会联合 CSDN 等生态伙伴共同推出的新一代开源与人工智能协作平台。平台坚持“开放、中立、公益”的理念,把代码托管、模型共享、数据集托管、智能体开发体验和算力服务整合在一起,为开发者提供从开发、训练到部署的一站式体验。
更多推荐
1
0- 0
已为社区贡献23条内容
所有评论(0)