When writing HTML pages which include fields where users can enter data, you usually want to validate the input. Having checks in your html may be good – but someone could use a REST API url and send data directly to the back-end, and bypass your checks. This means that as well as field checking in your panels, you also need field checking in the back-end before doing any data updates.
The flow of logic for a web server application is
- display an html page with input fields for user to complete. There may be input fields(possibly read only) with defaults pre-supplied, there may also be ‘input’ fields which have a value, are read only ,and not displayed. This allows you to pass “constant” data to the server, via the URL.
- The back-end request is submitted.
- The back-end application:
- Validates the parameters. These checks may be more stringent that the HTML validate, for example it may lookup a value in a database rather than just checking it is numeric . If a request, such as a REST API request, arrives, the parameters will not have been checked.
- Augments any data, for example add constant values, or system wide data.
- Transforms any data, for example change a string option to a numeric option as needed by the service.
- Calls the service, such as database insert
- Passes a response back to the caller, possibly in JSON format, giving
- Return code
- Any error message
- Any field in error
- The front end displays any error messages, and positions the cursor in the first field with a problem.
The easy field validation.
You can have an input field like
<input … required pattern=”…” minlength=”4″ maxlength=”8″ type=”number”
value=”colin paice” readonly=”readonly” title=”colins email address”>
where you can have
- required – the user must enter value.
- pattern – you can specify a standard regular expression, such as a string must start with a capital letter.
- minlength and maxlength – allows you to specify limits to the size.
- type – can be number, text, password, file, etc..
- value – you can preset a value.
- readonly – the user can see it, but cannot change it. You can preset this with value=… .
- type=hidden, can be used with value to pass a value to the back end that the user cannot see it on the page.
- title – produces hover over the field so you can provide a description of the expected format.
- you can define radio buttons, pull down lists, or multi choice selection.
Javascript validation
When the user takes an action, for example pressing a submit button, or changing the value of a field, you can drive a Javascript script.
This can do more complex checking of values. The onfocus=focusfunction(this) invokes the focusfunction when field gets focus (you put your cursor into the input box) (not very useful). The onblur=blurfunction(this) gets control when you move away into another field (much more useful)
<script>
function check(a){
alert(a.value)
}
</script>
<input type="text" onblur = "check(this)" >
After a value is entered into the input field, and you move to another field, it will pop up an alert window with the value you entered.
You can get the the values of several fields and check they are mutually consistent.
You can use the <form onsubmit=…> to invoke a script when submitting a form, to check that all parameters have been specified and are consistent.
Checking parameters passed to an html page
An action such as submitting a form, can display another page. Parameters can be passed as part of the URL. For example
file:///home/colinpaice/tmp/c2.html?name=colin+paice&email=Colin%40sss.com&organisation=Stromness+Software+Solutions&Country=GB&OU=test
- The invoked page was file:///home/colinpaice/tmp/c2.html
- The parameters start after the ?
- Parameters are split at the & sign
- Some characters are converted to their hex value; for example & and blanks. This is done so the string can be unambiguously parsed.
I have a useful page which processes any parameters and displays them within the page
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<HTML lang="en">
<HEAD>
<script>
function js_onload_code (e){
var url = document.location.href;
alert("colin:"+url);
var p = url.split('?')[1]; // any parms
if (p) // there is a parameter
{
var params = p.split('&');
if (params) // we have at least one parameter.
{
var l = params.length; // number of them
for (var i = 0 ; i < l; i++) {
tmp = params[i].split('=');
document.write(tmp[0] + "=" + tmp[1] + "<br>");
} // for
} // if params
} // function
window.onload= js_onload_code ();
</script>
<TITLE> Invoked page</TITLE>
</HEAD>
<BODY >
<p>Parameters passed in</p>
</BODY>
</HTML>
When this page is executed,
- window.onload= js_onload_code (); says when this page is loaded execute the script. Within the script..
- var url = document.location.href; gets the URL string
- var p = url.split(‘?’)[1]; split to get any parameters. Take the URL, split it at ? and take the second value (for zero based, 0 is the first element, 1 is the second element)
- ...split(‘&’); split the keyword string at the “&”
- var params = p.split(‘&’); create an array of strings split at the &
- var l = params.length; count the number of strings produced by split(‘&’)
- for (var i = 0 ; i < l; i++) { tmp = params[i].split(‘=’); document.write(tmp[0] + “=” + tmp[1] + “<br>”); } for each string – split keyword=value, and insert it into the page.
Server side checking
For a table using method=”get” the parameters are passed in the URL as show above.
For method=”post” data is passed via stdin, and the server application has to read the data. Depending your backend application you may have to write special code. Python handles post and get with no difference in code. You have to write code for Rexx to handle POST.
The server processing is
- Validates the parameters. These checks may be more stringent that the HTML validate, for example it may lookup a value in a database. If a request, such as a REST API request, arrives, the parameters will not have been checked.
- Augments any data, for example add site wide data value, or system specific data
- Calls the service, such as database insert
- Passes a response back to the caller, possibly in JSON format, giving
- Return code
- Any error message
- Any field in error
Python program can pass data such as lists, and dictionary to external routine.
Rexx program communication is done using a command string. You can separate fields by a delimiter, and then parse the input string. As the URL passed in as a format url?kw1=v1&kw2=v2&… you could pass that string through to external routines.
You may want to have common routines for checking values. These would need to be outside of the server program, so they can be shared. You might parse the url passed to the server program into Rexx variables
- kw.1=”userid, value.1=”colin”,
- kw.2=”password”,value.2=”passw0rd”
then have logic like
do I = 1 to number_of_inputs if kw.i = "userid" then rc =checkuid(value.i) else if kw.i="password" then rc = "checkpw(value.i) ... end
You might have to have multiple passes of the data so you get userid, and password, and then issue
userid = "" password = "" do I = 1 to number_of_inputs if kw.i = "userid" then userid = value.i else if kw.i="password" then password= value.i ... end rc = checkpw(userid,password)
Where rc could be in a string of format “rc value”
and
- rc =0 – use the returned value
- rc!=0 – error detected. The value is an error message. Pass it, and the field name, back to the caller
If you want to add “constant” data
create
number_of_inputs =number_of_input + 1 n = number_of_inputs kw.n="zos" value.n="ZOS1"
You can then build a string similar to the original input from the kw… and value… values.
There is a lot to consider for a simple little application!
ColinPaice 