Django’s form system handles the complete lifecycle of user input: rendering HTML fields, processing submitted data, validating against constraints, reporting errors, and saving clean data to the database. Getting forms right means your application rejects bad data early, gives clear feedback, and stays secure against injection and manipulation. This guide covers the form patterns that work in production: ModelForms, custom validators, formsets, nested forms, file upload handling, multi-step workflows, and the integration points between server validation and client-side feedback. For the data layer behind forms, see our ORM hub.
Forms are the primary attack surface of most web applications. Every form is a trust boundary. The patterns here prioritize correctness and security over developer convenience.
Basic Form and ModelForm
A standard form for collecting data:
from django import forms
class ContactForm(forms.Form):
name = forms.CharField(max_length=100)
email = forms.EmailField()
message = forms.CharField(widget=forms.Textarea)A ModelForm binds directly to a model, generating fields from the model definition:
from django import forms
from .models import Product
class ProductForm(forms.ModelForm):
class Meta:
model = Product
fields = ['name', 'category', 'price', 'description']
widgets = {
'description': forms.Textarea(attrs={'rows': 4}),
}ModelForms automatically apply model-level validators and constraints. They also handle save() to create or update model instances.
Custom field validation
Add field-level validation with clean_<fieldname> methods:
class RegistrationForm(forms.Form):
username = forms.CharField(max_length=50)
email = forms.EmailField()
def clean_username(self):
username = self.cleaned_data['username']
if User.objects.filter(username=username).exists():
raise forms.ValidationError('This username is already taken.')
return usernameFor cross-field validation, override clean():
class DateRangeForm(forms.Form):
start_date = forms.DateField()
end_date = forms.DateField()
def clean(self):
cleaned = super().clean()
start = cleaned.get('start_date')
end = cleaned.get('end_date')
if start and end and start >= end:
raise forms.ValidationError('End date must be after start date.')
return cleanedReusable validators
Define validators as functions or classes for reuse across multiple forms and models:
from django.core.exceptions import ValidationError
import re
def validate_no_profanity(value):
blocked_words = ['spam', 'scam'] # Real implementation would be more comprehensive
for word in blocked_words:
if word in value.lower():
raise ValidationError(f'Content contains blocked language.')
class Product(models.Model):
name = models.CharField(max_length=200, validators=[validate_no_profanity])
description = models.TextField(validators=[validate_no_profanity])Validators defined on models run during both form validation and full_clean().
Processing forms in views
The standard pattern for handling form submissions:
from django.shortcuts import render, redirect
def product_create(request):
if request.method == 'POST':
form = ProductForm(request.POST, request.FILES)
if form.is_valid():
product = form.save()
return redirect('product_detail', slug=product.slug)
else:
form = ProductForm()
return render(request, 'catalog/product_form.html', {'form': form})Always handle both GET (display empty form) and POST (process submission). Always check is_valid() before accessing cleaned_data. Always redirect after successful POST to prevent duplicate submissions.
Formsets for multiple objects
Formsets handle multiple instances of the same form:
from django.forms import modelformset_factory
OrderItemFormSet = modelformset_factory(
OrderItem,
fields=['product', 'quantity'],
extra=3,
can_delete=True,
)In the view:
def manage_order_items(request, order_id):
order = get_object_or_404(Order, id=order_id)
if request.method == 'POST':
formset = OrderItemFormSet(request.POST, queryset=order.items.all())
if formset.is_valid():
instances = formset.save(commit=False)
for instance in instances:
instance.order = order
instance.save()
formset.save_m2m()
for obj in formset.deleted_objects:
obj.delete()
return redirect('order_detail', order_id=order.id)
else:
formset = OrderItemFormSet(queryset=order.items.all())
return render(request, 'orders/manage_items.html', {'formset': formset, 'order': order})File upload handling
Handle file uploads with request.FILES:
class DocumentForm(forms.ModelForm):
class Meta:
model = Document
fields = ['title', 'file']
def clean_file(self):
file = self.cleaned_data['file']
if file.size > 10 * 1024 * 1024: # 10 MB
raise forms.ValidationError('File size must be under 10 MB.')
allowed = ['application/pdf', 'image/jpeg', 'image/png']
if file.content_type not in allowed:
raise forms.ValidationError('Unsupported file type.')
return fileValidate both size and content type. The security checklist covers additional file upload security measures.
Template rendering
Render forms with control over layout:
<form method="post" enctype="multipart/form-data">
{% csrf_token %}
{% for field in form %}
<div class="form-group {% if field.errors %}has-error{% endif %}">
<label for="{{ field.id_for_label }}">{{ field.label }}</label>
{{ field }}
{% if field.help_text %}
<small>{{ field.help_text }}</small>
{% endif %}
{% for error in field.errors %}
<span class="error">{{ error }}</span>
{% endfor %}
</div>
{% endfor %}
{% if form.non_field_errors %}
<div class="form-errors">
{% for error in form.non_field_errors %}
<p class="error">{{ error }}</p>
{% endfor %}
</div>
{% endif %}
<button type="submit">Submit</button>
</form>Include enctype="multipart/form-data" for forms with file fields.
Widget customization
Control how fields render with custom widgets and attributes:
class ProductForm(forms.ModelForm):
class Meta:
model = Product
fields = ['name', 'price', 'description']
widgets = {
'name': forms.TextInput(attrs={'class': 'form-control', 'placeholder': 'Product name'}),
'price': forms.NumberInput(attrs={'class': 'form-control', 'step': '0.01'}),
'description': forms.Textarea(attrs={'class': 'form-control', 'rows': 6}),
}Frequently asked questions
Should I use Django forms or handle validation manually? Use Django forms. They handle CSRF protection, data cleaning, type coercion, and error reporting consistently. Manual validation is error-prone and duplicates work the framework does better.
How do I integrate Django forms with a frontend framework? Render forms as JSON or use Django REST Framework serializers for API endpoints. The frontend handles rendering and client-side validation, while Django performs authoritative server-side validation.
When should I use formsets versus inline formsets? Regular formsets handle standalone forms. Inline formsets handle forms related to a parent object. Use inline formsets when editing child objects from the parent’s edit page.
How do I build multi-step forms?
Use Django’s SessionWizardView from django-formtools, or store intermediate data in the session manually and validate each step independently. Each step should validate its own data before advancing.