color value: c:out value={param[color]} paramValues[name] ret urns an array of values for t he param et er, so it s useful for param et ers t hat m ay have m ult iple values: accessory values: c:forEach var=val items={paramValues[accessories]} c:out value={val} c:forEach You can also access a param et er using dot not at ion if t he param et er nam e is legal as an obj ect propert y nam e: color value: c:out value={param.color} accessory values: c:forEach var=val items={paramValues.accessories} c:out value={val} c:forEach To produce a list of param et er obj ect s wit h key and value at t ribut es, it erat e over t he paramValues variable: ul c:forEach var=p items={paramValues} li name: c:out value={p.key} ; values: c:forEach var=val items={p.value} c:out value={val} c:forEach li c:forEach ul To const ruct URLs t hat point t o JSP pages and t hat have param et ers at t he end, you should separat e t he param et ers by charact ers.

18.7 Validating Web Input

18.7.1 Problem

Aft er ext ract ing t he param et ers supplied t o a script , it s a good idea t o check t hem t o be sure t heyre valid.

18.7.2 Solution

Web input processing is one form of dat a im port , so aft er youve ext ract ed t he input param et ers, you can validat e t hem using t he t echniques discussed in Chapt er 10 .

18.7.3 Discussion

One phase of form processing is t o ext ract t he input t hat com es back when t he user subm it s t he form . I t s also possible t o receive input in t he form of param et ers at t he end of a URL. But no m at t er t he input source, if youre going t o st ore it in your dat abase, it s a good idea t o check it t o be sure it s valid. When a client sends input t o you over t he Web, you dont really know what t heyre sending. I f you present a form for users t o fill out , m ost of t he t im e t heyll probably be nice and ent er t he kinds of values you expect . But a m alicious user can save t he form t o a file, m odify t he file t o allow form opt ions you dont int end, reload t he file int o a browser window, and subm it t he m odified form . Your form -processing script wont know t he difference. I f you writ e it only t o process t he kinds of values t hat well- int ent ioned users will subm it , t he script m ay m isbehave or crash when present ed wit h unexpect ed input —or perhaps even do bad t hings t o your dat abase. Recipe 18.8 discusses what kinds of bad t hings can happen. For t his reason, it s prudent t o perform som e validit y checking on web input before using it t o const ruct dat abase queries. Prelim inary checking is a good idea even for non-m alicious users. I f you require a field t o be filled in and t he user forget s t o provide a value, youll need t o rem ind t he user t o supply one. This can involve a sim ple I s t he param et er present ? check, or it m ay be m ore involved. Typical t ypes of validat ion operat ions include t he following: • Checking cont ent form at , such as m aking sure a value looks like an int eger or a dat e. This m ay involve som e reform at t ing for accept abilit y t o MySQL for exam ple, changing a dat e from MMDDYY t o I SO form at . • Det erm ining whet her or not a value is a m em ber of a legal set of values. Perhaps t he value m ust be list ed in t he definit ion for an ENUM or SET colum n, or m ust be present in a lookup t able. • Filt ering out ext raneous charact ers such as spaces or dashes from t elephone num bers or credit card num bers. Som e of t hese operat ions have lit t le t o do wit h MySQL, except in t he sense t hat you want values t o be appropriat e t o t he t ypes of t he colum ns youll st ore t hem in or perform m at ches against . For exam ple, if youre going t o st ore a value in an INT colum n, you can m ake sure it s an int eger first , using a t est like t his shown here using Perl : val =~ \d+ or die Hey . escapeHTML val . is not an integer\n; For ot her t ypes of validat ion, MySQL is int im at ely involved. I f a field value is t o be st ored int o an ENUM colum n, you can m ake sure t he value is one of t he legal enum erat ion values by checking t he colum n definit ion wit h SHOW COLUMNS . Having described som e of t he kinds of web input validat ion you m ight want t o carry out , I wont furt her discuss t hem here. These and ot her form s of validat ion t est ing are described in Chapt er 10 . That chapt er is orient ed largely t oward bulk input validat ion, but t he t echniques discussed t here apply t o web program m ing as well, because processing form input or URL param et ers is, in essence, perform ing a dat a im port operat ion.

18.8 Using Web Input to Construct Queries