HTML 文本输入并将输入用作脚本(tcl)/sql(sqlite) 中的变量

发布于 2024-08-29 12:05:51 字数 640 浏览 5 评论 0原文

我对整个网络事物非常非常陌生。总的来说我很困惑。基本上,我想做的是使用 HTML 通过文本获取输入,并将该输入添加到数据库、表转换中。应该很简单,但我迷路了。

    <li>Transaction Number</li>
    <li><input type=|text| name=|tnumber| </li> // do i need to use value?
    <li>Employee Name</li>
    <li><input type=|text| name=|ename| </li>
    <li><input type=|SUBMIT| value=|Add|></li>


    ......
    ......
    sqlite3 db $::env(ROOT)/database.db
    db eval {INSERT INTO trans VALUES ($tnumber, $ename)}
    db close

它们都在同一个文件中,并且为了简单起见,数据库中只有两个字段。我在这里看到的是 tnumber 和 ename 没有声明为变量。那么如何才能将文本输入分配给相应的变量呢?

I'm very VERY new at this whole web thing. And I'm just very confused in general. Basically, what I want to do is take an input via text using HTML and adding that input to database, table trans. Should be simple but I am lost.

    <li>Transaction Number</li>
    <li><input type=|text| name=|tnumber| </li> // do i need to use value?
    <li>Employee Name</li>
    <li><input type=|text| name=|ename| </li>
    <li><input type=|SUBMIT| value=|Add|></li>


    ......
    ......
    sqlite3 db $::env(ROOT)/database.db
    db eval {INSERT INTO trans VALUES ($tnumber, $ename)}
    db close

They are both in a same file and there are only two fields to the database to keep things simple. What I can see here is that tnumber and ename aren't declared as variables. So how do I do that so that the text input is assigned to respective variables?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(1

青朷 2024-09-05 12:05:51

您正在寻找 ncgi 包(在 Tcllib 中),您可以使用它来解码表单中的值并将它们提取到变量中。为此,您需要一个具有如下形式的网页:(

<form method="POST" action="/cgi-bin/addTransaction.tcl">
  <li>Transaction Number: <input type="text" name="tnumber">
  <li>Employee Name:      <input type="text" name="ename">
  <li><input type="submit" value="Add">
</form>

我不会更深入地讨论在网页上编写表单的细节。)

然后,在您的程序中(addTransaction.tcl)您执行如下操作:

package require ncgi
package require sqlite3

ncgi::parse

set xact [ncgi::value "tnumber"]
set name [ncgi::value "ename"]

sqlite3 db $::env(ROOT)/database.db
db eval {INSERT INTO trans VALUES ($xact, $name)}
db close

请注意,我已将变量名称更改为与网络表单中的变量名称不同。这是为了表明它们不需要相同。其他需要注意的事情是,您可以将交易编号字段设置为可选(通过 ncgi::value 的第二个可选参数提供默认值),并且生成交易 ID 可能会更好在数据库中(但这是另一个单独的问题;我在这个答案中重点关注如何从网络耦合到 SQLite)。

更有趣的是,上述代码没有受到 SQL 注入攻击。然而,每当您获取数据库的内容并将其发送回网络时,您都需要再次小心,否则您将留下公开的 XSS 攻击。这就是 html 包(又是 Tcllib)有用的时候,因为它可以让你生成正确的以最小的努力实现无风险输出。但这是另一个问题了...

You're after the ncgi package (in Tcllib), which you can use to decode the values in the form and extract them into variables. To do this, you'd have a webpage with a form like this:

<form method="POST" action="/cgi-bin/addTransaction.tcl">
  <li>Transaction Number: <input type="text" name="tnumber">
  <li>Employee Name:      <input type="text" name="ename">
  <li><input type="submit" value="Add">
</form>

(I'll not go into much more depth with the details of writing a form on a webpage.)

Then, in your program (addTransaction.tcl) you do something like this:

package require ncgi
package require sqlite3

ncgi::parse

set xact [ncgi::value "tnumber"]
set name [ncgi::value "ename"]

sqlite3 db $::env(ROOT)/database.db
db eval {INSERT INTO trans VALUES ($xact, $name)}
db close

Note that I've changed the names of the variables to be different from the ones in the webform. This is to show that they do not need to be the same. A few other things to note are that you can make the transaction number field optional (supply a default via the second optional argument to ncgi::value) and it might also be better to do generation of transaction ids in the database (but that's another separate question; I've focussed in this answer on how to couple from the web into SQLite).

Of more interest is the fact that the above code is free of SQL injection attacks. However, whenever you come to taking the contents of the database and sending it back out to the web, you'll need to be careful again or you'll leave open XSS attacks. That's when the html package (Tcllib again) is useful, since it lets you generate correct hazard-free output with minimal effort. But that's another question...

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文