diff --git a/en/04.1.md b/en/04.1.md index a95ade6c..781105f6 100644 --- a/en/04.1.md +++ b/en/04.1.md @@ -1,71 +1,72 @@ # 4.1 Process form inputs Before we begin, let's take a look at a simple example of a typical user form, saved as `login.gtpl` in your project folder. - - +```html + -
- Username: - Password: - -
+
+ Username: + Password: + +
- - + +``` This form will submit to `/login` on the server. After the user clicks the login button, the data will be sent to the `login` handler registered by the server router. Then we need to know whether it uses the POST method or GET. This is easy to find out using the `http` package. Let's see how to handle the form data on the login page. - package main +```Go +package main - import ( - "fmt" - "html/template" - "log" - "net/http" - "strings" - ) +import ( + "fmt" + "html/template" + "log" + "net/http" + "strings" +) - func sayhelloName(w http.ResponseWriter, r *http.Request) { - r.ParseForm() //Parse url parameters passed, then parse the response packet for the POST body (request body) - // attention: If you do not call ParseForm method, the following data can not be obtained form - fmt.Println(r.Form) // print information on server side. - fmt.Println("path", r.URL.Path) - fmt.Println("scheme", r.URL.Scheme) - fmt.Println(r.Form["url_long"]) - for k, v := range r.Form { - fmt.Println("key:", k) - fmt.Println("val:", strings.Join(v, "")) - } - fmt.Fprintf(w, "Hello astaxie!") // write data to response +func sayhelloName(w http.ResponseWriter, r *http.Request) { + r.ParseForm() //Parse url parameters passed, then parse the response packet for the POST body (request body) + // attention: If you do not call ParseForm method, the following data can not be obtained form + fmt.Println(r.Form) // print information on server side. + fmt.Println("path", r.URL.Path) + fmt.Println("scheme", r.URL.Scheme) + fmt.Println(r.Form["url_long"]) + for k, v := range r.Form { + fmt.Println("key:", k) + fmt.Println("val:", strings.Join(v, "")) } + fmt.Fprintf(w, "Hello astaxie!") // write data to response +} - func login(w http.ResponseWriter, r *http.Request) { - fmt.Println("method:", r.Method) //get request method - if r.Method == "GET" { - t, _ := template.ParseFiles("login.gtpl") - t.Execute(w, nil) - } else { - r.ParseForm() - // logic part of log in - fmt.Println("username:", r.Form["username"]) - fmt.Println("password:", r.Form["password"]) - } +func login(w http.ResponseWriter, r *http.Request) { + fmt.Println("method:", r.Method) //get request method + if r.Method == "GET" { + t, _ := template.ParseFiles("login.gtpl") + t.Execute(w, nil) + } else { + r.ParseForm() + // logic part of log in + fmt.Println("username:", r.Form["username"]) + fmt.Println("password:", r.Form["password"]) } - - func main() { - http.HandleFunc("/", sayhelloName) // setting router rule - http.HandleFunc("/login", login) - err := http.ListenAndServe(":9090", nil) // setting listening port - if err != nil { - log.Fatal("ListenAndServe: ", err) - } +} + +func main() { + http.HandleFunc("/", sayhelloName) // setting router rule + http.HandleFunc("/login", login) + err := http.ListenAndServe(":9090", nil) // setting listening port + if err != nil { + log.Fatal("ListenAndServe: ", err) } +} - +``` Here we use `r.Method` to get the request method, and it returns an http verb -"GET", "POST", "PUT", etc. In the `login` function, we use `r.Method` to check whether it's a login page or login processing logic. In other words, we check to see whether the user is simply opening the page, or trying to log in. Serve shows the page only when the request comes in via the GET method, and it executes the login logic when the request uses the POST method. @@ -87,7 +88,7 @@ Try changing the value of the action in the form `http://127.0.0.1:9090/login` t Figure 4.2 Server prints request data The type of `request.Form` is `url.Value`. It saves data with the format `key=value`. - +```Go v := url.Values{} v.Set("name", "Ava") v.Add("friend", "Jess") @@ -97,7 +98,7 @@ The type of `request.Form` is `url.Value`. It saves data with the format `key=va fmt.Println(v.Get("name")) fmt.Println(v.Get("friend")) fmt.Println(v["friend"]) - +``` **Tips** Requests have the ability to access form data using the `FormValue()` method. For example, you can change `r.Form["username"]` to `r.FormValue("username")`, and Go calls `r.ParseForm` automatically. Notice that it returns the first value if there are arguments with the same name, and it returns an empty string if there is no such argument. ## Links diff --git a/en/04.2.md b/en/04.2.md index 08fabec9..8456c842 100644 --- a/en/04.2.md +++ b/en/04.2.md @@ -7,17 +7,17 @@ There are two ways of verifying form data that are in common use. The first is J ## Required fields Sometimes we require that users input some fields but they fail to complete the field. For example in the previous section when we required a username. You can use the `len` function to get the length of a field in order to ensure that users have entered something. - +```Go if len(r.Form["username"][0])==0{ // code for empty field } - +``` `r.Form` treats different form element types differently when they are blank. For empty textboxes, text areas and file uploads, it returns an empty string; for radio buttons and check boxes, it doesn't even create the corresponding items. Instead, you will get errors if you try to access it. Therefore, it's safer to use `r.Form.Get()` to get field values since it will always return empty if the value does not exist. On the other hand, `r.Form.Get()` can only get one field value at a time, so you need to use `r.Form` to get the map of values. ## Numbers Sometimes you require numbers rather than other text for the field value. For example, let's say that you require the age of a user in integer form only, i.e 50 or 10, instead of "old enough" or "young man". If we require a positive number, we can convert the value to the `int` type first, then process it. - +```Go getint,err:=strconv.Atoi(r.Form.Get("age")) if err!=nil{ // error occurs when convert to number, it may not a number @@ -27,55 +27,55 @@ Sometimes you require numbers rather than other text for the field value. For ex if getint >100 { // too big } - +``` Another way to do this is by using regular expressions. - +```Go if m, _ := regexp.MatchString("^[0-9]+$", r.Form.Get("age")); !m { return false } - +``` For high performance purposes, regular expressions are not efficient, however simple regular expressions are usually fast enough. If you are familiar with regular expressions, it's a very convenient way to verify data. Notice that Go uses [RE2](http://code.google.com/p/re2/wiki/Syntax), so all UTF-8 characters are supported. ## Chinese Sometimes we need users to input their Chinese names and we have to verify that they all use Chinese rather than random characters. For Chinese verification, regular expressions are the only way. - - if m, _ := regexp.MatchString("^[\\x{4e00}-\\x{9fa5}]+$", r.Form.Get("realname")); !m { - return false - } - +```Go +if m, _ := regexp.MatchString("^[\\x{4e00}-\\x{9fa5}]+$", r.Form.Get("realname")); !m { + return false +} +``` ## English letters Sometimes we need users to input only English letters. For example, we require someone's English name, like astaxie instead of astač°˘. We can easily use regular expressions to perform our verification. - - if m, _ := regexp.MatchString("^[a-zA-Z]+$", r.Form.Get("engname")); !m { - return false - } - +```Go +if m, _ := regexp.MatchString("^[a-zA-Z]+$", r.Form.Get("engname")); !m { + return false +} +``` ## E-mail address If you want to know whether users have entered valid E-mail addresses, you can use the following regular expression: - +```Go if m, _ := regexp.MatchString(`^([\w\.\_]{2,10})@(\w{1,}).([a-z]{2,4})$`, r.Form.Get("email")); !m { fmt.Println("no") }else{ fmt.Println("yes") } - +``` ## Drop down list Let's say we require an item from our drop down list, but instead we get a value fabricated by hackers. How do we prevent this from happening? Suppose we have the following ` - +``` We can use the following strategy to sanitize our input: - +```Go slice:=[]string{"apple","pear","banana"} for _, v := range slice { @@ -84,18 +84,18 @@ We can use the following strategy to sanitize our input: } } return false - +``` All the functions I've shown above are in my open source project for operating on slices and maps: [https://github.com/astaxie/beeku](https://github.com/astaxie/beeku) ## Radio buttons If we want to know whether the user is male or female, we may use a radio button, returning 1 for male and 2 for female. However, some little kid who just read his first book on HTTP, decides to send to you a 3. Will your program throw an exception? As you can see, we need to use the same method as we did for our drop down list to make sure that only expected values are returned by our radio button. - +```html Male Female - +``` And we use the following code to validate the input: - +```Go slice:=[]int{1,2} for _, v := range slice { @@ -104,32 +104,32 @@ And we use the following code to validate the input: } } return false - +``` ## Check boxes Suppose there are some check boxes for user interests, and that you don't want extraneous values here either. You can validate these ase follows: - +```html Football Basketball Tennis - +``` In this case, the sanitization is a little bit different to validating the button and check box inputs since here we get a slice from the check boxes. +```Go +slice:=[]string{"football","basketball","tennis"} +a:=Slice_diff(r.Form["interest"],slice) +if a == nil{ + return true +} - slice:=[]string{"football","basketball","tennis"} - a:=Slice_diff(r.Form["interest"],slice) - if a == nil{ - return true - } - - return false - +return false +``` ## Date and time Suppose you want users to input valid dates or times. Go has the `time` package for converting year, month and day to their corresponding times. After that, it's easy to check it. - +```Go t := time.Date(2009, time.November, 10, 23, 0, 0, 0, time.UTC) fmt.Printf("Go launched at %s\n", t.Local()) - +``` After you have the time, you can use the `time` package for more operations, depending on your needs. In this section, we've discussed some common methods of validating form data on the server side. I hope that you now understand more about data validation in Go, especially how to use regular expressions to your advantage. diff --git a/en/04.3.md b/en/04.3.md index f6b5eefb..38906275 100644 --- a/en/04.3.md +++ b/en/04.3.md @@ -16,11 +16,11 @@ So how can we do these two things in Go? Fortunately, the `html/template` packag - `func HTMLEscaper(args ...interface{}) string` returns a string after escaping from multiple arguments. Let's change the example in section 4.1: - +```Go fmt.Println("username:", template.HTMLEscapeString(r.Form.Get("username"))) // print at server side fmt.Println("password:", template.HTMLEscapeString(r.Form.Get("password"))) template.HTMLEscape(w, []byte(r.Form.Get("username"))) // responded to clients - +``` If someone tries to input the username as ``, we will see the following content in the browser: ![](images/4.3.escape.png?raw=true) @@ -28,39 +28,39 @@ If someone tries to input the username as ``, we will se Figure 4.3 JavaScript after escaped Functions in the `html/template` package help you to escape all HTML tags. What if you just want to print `` to browsers? You should use `text/template` instead. - +```Go import "text/template" ... t, err := template.New("foo").Parse(`{{define "T"}}Hello, {{.}}!{{end}}`) err = t.ExecuteTemplate(out, "T", "") - +``` Output: - - Hello, ! - +```html +Hello, ! +``` Or you can use the `template.HTML` type : Variable content will not be escaped if its type is `template.HTML`. - +```Go import "html/template" ... t, err := template.New("foo").Parse(`{{define "T"}}Hello, {{.}}!{{end}}`) err = t.ExecuteTemplate(out, "T", template.HTML("")) - +``` Output: - - Hello, ! - +```html +Hello, ! +``` One more example of escaping: - +```Go import "html/template" ... t, err := template.New("foo").Parse(`{{define "T"}}Hello, {{.}}!{{end}}`) err = t.ExecuteTemplate(out, "T", "") - +``` Output: - - Hello, <script>alert('you have been pwned')</script>! - +```html +Hello, <script>alert('you have been pwned')</script>! +``` ## Links - [Directory](preface.md) diff --git a/en/04.4.md b/en/04.4.md index 4c4b9adb..2353ae5f 100644 --- a/en/04.4.md +++ b/en/04.4.md @@ -5,7 +5,7 @@ I don't know if you've ever seen some blogs or BBS' that have more than one post The solution is to add a hidden field with a unique token to your form, and to always check this token before processing the incoming data. Also, if you are using Ajax to submit a form, use JavaScript to disable the submit button once the form has been submitted. Let's improve the example from section 4.2: - +```html Football Basketball Tennis @@ -13,34 +13,36 @@ Let's improve the example from section 4.2: Password: - +``` We use an MD5 hash (time stamp) to generate the token, and added it to both a hidden field on the client side form and a session cookie on the server side (Chapter 6). We can then use this token to check whether or not this form was submitted. +```Go +func login(w http.ResponseWriter, r *http.Request) { + fmt.Println("method:", r.Method) // get request method + if r.Method == "GET" { + crutime := time.Now().Unix() + h := md5.New() + io.WriteString(h, strconv.FormatInt(crutime, 10)) + token := fmt.Sprintf("%x", h.Sum(nil)) - func login(w http.ResponseWriter, r *http.Request) { - fmt.Println("method:", r.Method) // get request method - if r.Method == "GET" { - crutime := time.Now().Unix() - h := md5.New() - io.WriteString(h, strconv.FormatInt(crutime, 10)) - token := fmt.Sprintf("%x", h.Sum(nil)) - - t, _ := template.ParseFiles("login.gtpl") - t.Execute(w, token) - } else { - // log in request - r.ParseForm() - token := r.Form.Get("token") - if token != "" { - // check token validity - } else { - // give error if no token - } - fmt.Println("username length:", len(r.Form["username"][0])) - fmt.Println("username:", template.HTMLEscapeString(r.Form.Get("username"))) // print in server side - fmt.Println("password:", template.HTMLEscapeString(r.Form.Get("password"))) - template.HTMLEscape(w, []byte(r.Form.Get("username"))) // respond to client - } + t, _ := template.ParseFiles("login.gtpl") + t.Execute(w, token) + } else { + // log in request + r.ParseForm() + token := r.Form.Get("token") + if token != "" { + // check token validity + } else { + // give error if no token + } + fmt.Println("username length:", len(r.Form["username"][0])) + fmt.Println("username:", template.HTMLEscapeString(r.Form.Get("username"))) // print in server side + fmt.Println("password:", template.HTMLEscapeString(r.Form.Get("password"))) + template.HTMLEscape(w, []byte(r.Form.Get("username"))) // respond to client } +} + +``` ![](images/4.4.token.png?raw=true) diff --git a/en/04.5.md b/en/04.5.md index 0f824fe0..97eaecde 100644 --- a/en/04.5.md +++ b/en/04.5.md @@ -13,7 +13,7 @@ text/plain Convert spaces to "+", but no transcoding for special characters. Therefore, the HTML content of a file upload form should look like this: -``` +```html Upload file @@ -31,7 +31,7 @@ Therefore, the HTML content of a file upload form should look like this: We need to add a function on the server side to handle this form. -``` +```Go http.HandleFunc("/upload", upload) // upload logic @@ -78,7 +78,7 @@ We use three steps for uploading files as follows: The file handler is the `multipart.FileHeader`. It uses the following struct: -``` +```Go type FileHeader struct { Filename string Header textproto.MIMEHeader @@ -94,7 +94,7 @@ Figure 4.5 Print information on server after receiving file. I showed an example of using a form to a upload a file. We can impersonate a client form to upload files in Go as well. -``` +```Go package main import (