sql:query var=rs dataSource={conn} SELECT color FROM cow_color ORDER BY color sql:query br Cow color:br select name=color c:forEach var=row items={rs.rows} option value=c:out value={row.color} c:if test={row.color == color}selected=selectedc:if c:out value={row.color} option c:forEach select • The cust_name t ext field: • br Customer name:br • input type=text name=cust_name • value=c:out value={cust_name} size=60 For PHP or Pyt hon, creat e t he form using t he ut ilit y funct ions developed in Recipe 18.3 and Recipe 18.4 . See t he cow_edit .php and cow_edit .py script s for det ails.

18.6 Collecting Web Input

18.6.1 Problem

You want t o ext ract t he input param et ers t hat were subm it t ed as part of a form or specified at t he end of a URL.

18.6.2 Solution

Each API provides a m eans of accessing t he nam es and values of t he input param et ers in t he execut ion environm ent of a web script .

18.6.3 Discussion

Earlier sect ions of t his chapt er discuss how t o ret rieve inform at ion from MySQL and use it t o generat e various form s of out put , such as st at ic t ext , hyperlinks, or form elem ent s. I n t his sect ion, w ell discuss t he opposit e problem —how t o collect input from t he Web. Applicat ions for such input are m any. For exam ple, you can use t he t echniques shown in t his sect ion t o ext ract t he cont ent s of a form subm it t ed by a user. You m ight int erpret t he inform at ion as search keywords, t hen run a query against a product cat alog and show t he m at ching it em s t o a cust om er. I n t his case, you use t he Web t o collect inform at ion from which you can det erm ine t he client s int erest s. From t hat you const ruct an appropriat e search query and display t he result s. I f a form represent s a survey, a m ailing list sign- up sheet , or a poll, you m ight j ust st ore t he values, using t he dat a t o creat e a new dat abase record or perhaps t o updat e an exist ing record . A script t hat receives input over t he Web and uses it t o int eract wit h MySQL generally processes t he inform at ion in a series of st ages: 1. Ext ract t he input from t he execut ion environm ent . When a request arrives t hat cont ains input param et ers, t he web server places t he input int o t he environm ent of t he script t hat handles t he request , and t he script queries it s environm ent t o obt ain t he param et ers. I t m ay be necessary t o decode special charact ers in t he param et ers t o recover t he act ual values subm it t ed by t he client , if t he ext ract ion m echanism provided by your API doesnt do it for you. For exam ple, you m ay need t o convert 20 t o space. 2. Validat e t he input t o m ake sure it s legal. You cannot t rust users t o send legal values, so it s a good idea t o check input param et ers t o m ake sure t hey look reasonable. For exam ple, if you expect a user t o ent er a num ber int o a field, you should check t he value t o be sure it s really num eric. I f a form cont ains a pop- up m enu t hat was const ruct ed using t he allowable values of an ENUM colum n, you m ight expect t he value t hat you act ually get back t o be one of t hese values. But t heres no way t o be sure except t o check. I f you dont , you run t he risk of ent ering garbage int o your dat abase. 3. Const ruct a query based on t he input . Typically, input param et ers are used t o add a record t o a dat abase, or t o t o ret rieve inform at ion from t he dat abase for display t o t he client . Eit her way, you use t he input t o const ruct a query and send it t o t he MySQL server. Query const ruct ion based on user input should be done wit h care, using proper escaping t o avoid creat ing m alform ed or dangerous SQL st at em ent s. The rest of t his sect ion explores t he first of t hese t hree st ages of input processing. Recipe 18.7Recipe 18.7 and Recipe 18.8 cover t he second and t hird st ages. The first st age pulling input from t he execut ion environm ent has lit t le t o do wit h MySQL, but is covered here because it s necessarily t he m eans by which you obt ain t he inform at ion used in t he lat er processing st ages. I nput obt ained over t he Web can be received in several ways, t wo of which are m ost com m on: • As part of a GET request , in which case input param et ers are appended t o t he end of t he URL. For exam ple, t he following URL invokes a PHP script price_quot e.php and specifies item and quantity param et ers w it h values D-0214 and 60 : ht t p: apache.snake.net m cb price_quot e.php?it em = D- 0214quant it y= 60 Such request s com m only are received when a user select s a hyperlink or subm it s a form t hat specifies method=GET in t he form t ag. A param et er list in a URL begins wit h ? and consist s of name = value pairs separat ed by ; or charact ers. I t s also possible t o place inform at ion in t he m iddle of a URL, but t his book doesnt cover t hat . • As part of a POST request , such as a form subm ission t hat specifies method=POST in t he form t ag. The cont ent s of a form for a POST request are sent as input param et ers in t he body of t he request , rat her t han at t he end of t he URL. You m ay also have occasion t o process ot her t ypes of input , such as uploaded files. Those are sent using POST request s, but as part of a special kind of form t hat is discussed in Recipe 18.9 . When you gat her input for a web script , you m ay need t o be concerned wit h how t he input was sent . Som e API s dist inguish bet ween input sent via GET and POST , ot her s do not . However, once you have pulled out t he inform at ion t hat was sent , t he request m et hod doesnt m at t er. The validat ion and query const ruct ion st ages do not need t o know whet her param et ers were sent using GET or POST . The recipes dist ribut ion includes som e script s in t he apache param s direct ory t om cat m cb for JSP t hat process input param et ers. Each script allows you t o subm it GET or POST request s, and shows how t o ext ract and display t he param et er values t hus subm it t ed. Exam ine t hese script s t o see how t he param et er ext ract ion m et hods for t he various API s are used. Ut ilit y rout ines invoked by t he script s can be found in t he library m odules in t he lib direct ory of t he dist ribut ion.

18.6.4 Web Input Extraction Conventions