CRUD & Forms
Let users create, read, update and delete data through your pages.
What you will learn
- Show data from the database
- Build a form to add data
- Handle form submissions
CRUD stands for the four things every data-driven app does: Create, Read, Update and Delete records. In this lesson we build Read (show records) and Create (add a record with a form); Update and Delete follow the same shapes.
Show records (Read)
Reading is the easiest part: ask the ORM for the records, then hand them to a template to display. Here a view fetches all posts and passes them to a page:
# views.py
from django.shortcuts import render
from .models import Post
def post_list(request):
posts = Post.objects.all()
return render(request, "post_list.html", {"posts": posts})Post.objects.all() pulls every post out of the database, and render() sends that list to post_list.html under the name posts. The template can then loop over posts (with {% for %}) to show each one — exactly like the Templates lesson.
Add a record (Create)
To let visitors add data we need an HTML form. A form collects what the user types and sends it to the server when they click submit. Put it in a template:
# a simple form in a template
<form method="post">
{% csrf_token %}
<input name="title">
<textarea name="body"></textarea>
<button type="submit">Save</button>
</form>method="post" means the form sends data. (Browsers talk to servers using HTTP — the language of the web — and GET and POST are two of its request types: GET just asks to view a page, while POST is used to send or change data, like submitting this form.) {% csrf_token %} adds a hidden safety token — CSRF stands for Cross-Site Request Forgery, an attack where a different website tricks the user’s browser into submitting your form; the token proves the request really came from your own page (more below). Each name — name="title" and name="body" — is the label the server uses to read that field. The button submits everything.
When the user clicks Save, the browser sends the typed values to a view. That same view shows the empty form on a normal visit and saves the data when the form comes back:
# views.py — handle the submitted form
def post_create(request):
if request.method == "POST":
Post.objects.create(
title=request.POST["title"],
body=request.POST["body"],
)
return redirect("post_list")
return render(request, "post_form.html")The if request.method == "POST" check splits two cases. If the request is a POST (the form was submitted), we read the typed values from request.POST by their name, create the post, and redirect the user to the list page. Otherwise (a normal GET visit) we just show the empty post_form.html.
Here is the whole create flow, step by step:
- The user opens the add page. The request is a GET, so the view shows the empty form (
render(...)). - The user fills in the fields and clicks Save. The browser sends a POST request carrying the data.
- The view sees
request.method == "POST"and reads each value fromrequest.POSTusing itsname. Post.objects.create(...)saves a new row in the database.- The view redirects to the list page, so a refresh will not re-submit the form, and the user sees their new post in the list.
Note: Output: after clicking Save, the browser jumps to the post list and the newly added post appears at the bottom — proof it was written to the database.
Watch out: Every Django form needs {% csrf_token %} inside it — a security check. Without it, Django blocks the submission.
Tip: Django also has ModelForms that build the whole form from your model automatically — a big time-saver once you’re comfortable.
Q. What must every Django POST form include?
✍️ Practice
- Build a page that lists records from the database.
- Build a form that adds a new record and redirects to the list.
🏠 Homework
- Add Update and Delete views to complete full CRUD.