HTML 文本输入并将输入用作脚本(tcl)/sql(sqlite) 中的变量
我对整个网络事物非常非常陌生。总的来说我很困惑。基本上,我想做的是使用 HTML 通过文本获取输入,并将该输入添加到数据库、表转换中。应该很简单,但我迷路了。
<li>Transaction Number</li>
<li><input type=|text| name=|tnumber| </li> // do i need to use value?
<li>Employee Name</li>
<li><input type=|text| name=|ename| </li>
<li><input type=|SUBMIT| value=|Add|></li>
......
......
sqlite3 db $::env(ROOT)/database.db
db eval {INSERT INTO trans VALUES ($tnumber, $ename)}
db close
它们都在同一个文件中,并且为了简单起见,数据库中只有两个字段。我在这里看到的是 tnumber 和 ename 没有声明为变量。那么如何才能将文本输入分配给相应的变量呢?
I'm very VERY new at this whole web thing. And I'm just very confused in general. Basically, what I want to do is take an input via text using HTML and adding that input to database, table trans. Should be simple but I am lost.
<li>Transaction Number</li>
<li><input type=|text| name=|tnumber| </li> // do i need to use value?
<li>Employee Name</li>
<li><input type=|text| name=|ename| </li>
<li><input type=|SUBMIT| value=|Add|></li>
......
......
sqlite3 db $::env(ROOT)/database.db
db eval {INSERT INTO trans VALUES ($tnumber, $ename)}
db close
They are both in a same file and there are only two fields to the database to keep things simple. What I can see here is that tnumber and ename aren't declared as variables. So how do I do that so that the text input is assigned to respective variables?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
您正在寻找 ncgi 包(在 Tcllib 中),您可以使用它来解码表单中的值并将它们提取到变量中。为此,您需要一个具有如下形式的网页:(
我不会更深入地讨论在网页上编写表单的细节。)
然后,在您的程序中(
addTransaction.tcl)您执行如下操作:请注意,我已将变量名称更改为与网络表单中的变量名称不同。这是为了表明它们不需要相同。其他需要注意的事情是,您可以将交易编号字段设置为可选(通过 ncgi::value 的第二个可选参数提供默认值),并且生成交易 ID 可能会更好在数据库中(但这是另一个单独的问题;我在这个答案中重点关注如何从网络耦合到 SQLite)。
更有趣的是,上述代码没有受到 SQL 注入攻击。然而,每当您获取数据库的内容并将其发送回网络时,您都需要再次小心,否则您将留下公开的 XSS 攻击。这就是 html 包(又是 Tcllib)有用的时候,因为它可以让你生成正确的以最小的努力实现无风险输出。但这是另一个问题了...
You're after the ncgi package (in Tcllib), which you can use to decode the values in the form and extract them into variables. To do this, you'd have a webpage with a form like this:
(I'll not go into much more depth with the details of writing a form on a webpage.)
Then, in your program (
addTransaction.tcl) you do something like this:Note that I've changed the names of the variables to be different from the ones in the webform. This is to show that they do not need to be the same. A few other things to note are that you can make the transaction number field optional (supply a default via the second optional argument to
ncgi::value) and it might also be better to do generation of transaction ids in the database (but that's another separate question; I've focussed in this answer on how to couple from the web into SQLite).Of more interest is the fact that the above code is free of SQL injection attacks. However, whenever you come to taking the contents of the database and sending it back out to the web, you'll need to be careful again or you'll leave open XSS attacks. That's when the html package (Tcllib again) is useful, since it lets you generate correct hazard-free output with minimal effort. But that's another question...