lostecho/build-web-application-with-golang
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add en/0.4.x.md syntax highlighting

Browse Source
This commit is contained in:
vCaesar
2017-04-22 16:07:15 +08:00
parent 87bfcf228e
commit 7e82857138
5 changed files with 139 additions and 136 deletions
Download Patch File Download Diff File Expand all files Collapse all files

33
en/04.1.md
View File

@@ -1,8 +1,8 @@
# 4.1 Process form inputs
Before we begin, let's take a look at a simple example of a typical user form, saved as `login.gtpl` in your project folder.
<html>
```html
<html>
<head>
<title></title>
</head>
@@ -13,23 +13,24 @@ Before we begin, let's take a look at a simple example of a typical user form, s
<input type="submit" value="Login">
</form>
</body>
</html>
</html>
```
This form will submit to `/login` on the server. After the user clicks the login button, the data will be sent to the `login` handler registered by the server router. Then we need to know whether it uses the POST method or GET.
This is easy to find out using the `http` package. Let's see how to handle the form data on the login page.
package main
```Go
package main
import (
import (
"fmt"
"html/template"
"log"
"net/http"
"strings"
)
)
func sayhelloName(w http.ResponseWriter, r *http.Request) {
func sayhelloName(w http.ResponseWriter, r *http.Request) {
r.ParseForm() //Parse url parameters passed, then parse the response packet for the POST body (request body)
// attention: If you do not call ParseForm method, the following data can not be obtained form
fmt.Println(r.Form) // print information on server side.
@@ -41,9 +42,9 @@ This is easy to find out using the `http` package. Let's see how to handle the f
fmt.Println("val:", strings.Join(v, ""))
}
fmt.Fprintf(w, "Hello astaxie!") // write data to response
}
}
func login(w http.ResponseWriter, r *http.Request) {
func login(w http.ResponseWriter, r *http.Request) {
fmt.Println("method:", r.Method) //get request method
if r.Method == "GET" {
t, _ := template.ParseFiles("login.gtpl")
@@ -54,18 +55,18 @@ This is easy to find out using the `http` package. Let's see how to handle the f
fmt.Println("username:", r.Form["username"])
fmt.Println("password:", r.Form["password"])
}
}
}
func main() {
func main() {
http.HandleFunc("/", sayhelloName) // setting router rule
http.HandleFunc("/login", login)
err := http.ListenAndServe(":9090", nil) // setting listening port
if err != nil {
log.Fatal("ListenAndServe: ", err)
}
}
}
```
Here we use `r.Method` to get the request method, and it returns an http verb -"GET", "POST", "PUT", etc.
In the `login` function, we use `r.Method` to check whether it's a login page or login processing logic. In other words, we check to see whether the user is simply opening the page, or trying to log in. Serve shows the page only when the request comes in via the GET method, and it executes the login logic when the request uses the POST method.
@@ -87,7 +88,7 @@ Try changing the value of the action in the form `http://127.0.0.1:9090/login` t
Figure 4.2 Server prints request data
The type of `request.Form` is `url.Value`. It saves data with the format `key=value`.
```Go
v := url.Values{}
v.Set("name", "Ava")
v.Add("friend", "Jess")
@@ -97,7 +98,7 @@ The type of `request.Form` is `url.Value`. It saves data with the format `key=va
fmt.Println(v.Get("name"))
fmt.Println(v.Get("friend"))
fmt.Println(v["friend"])
```
**Tips** Requests have the ability to access form data using the `FormValue()` method. For example, you can change `r.Form["username"]` to `r.FormValue("username")`, and Go calls `r.ParseForm` automatically. Notice that it returns the first value if there are arguments with the same name, and it returns an empty string if there is no such argument.
## Links

70
en/04.2.md
View File

@@ -7,17 +7,17 @@ There are two ways of verifying form data that are in common use. The first is J
## Required fields
Sometimes we require that users input some fields but they fail to complete the field. For example in the previous section when we required a username. You can use the `len` function to get the length of a field in order to ensure that users have entered something.
```Go
if len(r.Form["username"][0])==0{
// code for empty field
}
```
`r.Form` treats different form element types differently when they are blank. For empty textboxes, text areas and file uploads, it returns an empty string; for radio buttons and check boxes, it doesn't even create the corresponding items. Instead, you will get errors if you try to access it. Therefore, it's safer to use `r.Form.Get()` to get field values since it will always return empty if the value does not exist. On the other hand, `r.Form.Get()` can only get one field value at a time, so you need to use `r.Form` to get the map of values.
## Numbers
Sometimes you require numbers rather than other text for the field value. For example, let's say that you require the age of a user in integer form only, i.e 50 or 10, instead of "old enough" or "young man". If we require a positive number, we can convert the value to the `int` type first, then process it.
```Go
getint,err:=strconv.Atoi(r.Form.Get("age"))
if err!=nil{
// error occurs when convert to number, it may not a number
@@ -27,55 +27,55 @@ Sometimes you require numbers rather than other text for the field value. For ex
if getint >100 {
// too big
}
```
Another way to do this is by using regular expressions.
```Go
if m, _ := regexp.MatchString("^[0-9]+$", r.Form.Get("age")); !m {
return false
}
```
For high performance purposes, regular expressions are not efficient, however simple regular expressions are usually fast enough. If you are familiar with regular expressions, it's a very convenient way to verify data. Notice that Go uses [RE2](http://code.google.com/p/re2/wiki/Syntax), so all UTF-8 characters are supported.
## Chinese
Sometimes we need users to input their Chinese names and we have to verify that they all use Chinese rather than random characters. For Chinese verification, regular expressions are the only way.
if m, _ := regexp.MatchString("^[\\x{4e00}-\\x{9fa5}]+$", r.Form.Get("realname")); !m {
```Go
if m, _ := regexp.MatchString("^[\\x{4e00}-\\x{9fa5}]+$", r.Form.Get("realname")); !m {
return false
}
}
```
## English letters
Sometimes we need users to input only English letters. For example, we require someone's English name, like astaxie instead of asta谢. We can easily use regular expressions to perform our verification.
if m, _ := regexp.MatchString("^[a-zA-Z]+$", r.Form.Get("engname")); !m {
```Go
if m, _ := regexp.MatchString("^[a-zA-Z]+$", r.Form.Get("engname")); !m {
return false
}
}
```
## E-mail address
If you want to know whether users have entered valid E-mail addresses, you can use the following regular expression:
```Go
if m, _ := regexp.MatchString(`^([\w\.\_]{2,10})@(\w{1,}).([a-z]{2,4})$`, r.Form.Get("email")); !m {
fmt.Println("no")
}else{
fmt.Println("yes")
}
```
## Drop down list
Let's say we require an item from our drop down list, but instead we get a value fabricated by hackers. How do we prevent this from happening?
Suppose we have the following `<select>`:
```html
<select name="fruit">
<option value="apple">apple</option>
<option value="pear">pear</option>
<option value="banana">banana</option>
</select>
```
We can use the following strategy to sanitize our input:
```Go
slice:=[]string{"apple","pear","banana"}
for _, v := range slice {
@@ -84,18 +84,18 @@ We can use the following strategy to sanitize our input:
}
}
return false
```
All the functions I've shown above are in my open source project for operating on slices and maps: [https://github.com/astaxie/beeku](https://github.com/astaxie/beeku)
## Radio buttons
If we want to know whether the user is male or female, we may use a radio button, returning 1 for male and 2 for female. However, some little kid who just read his first book on HTTP, decides to send to you a 3. Will your program throw an exception? As you can see, we need to use the same method as we did for our drop down list to make sure that only expected values are returned by our radio button.
```html
<input type="radio" name="gender" value="1">Male
<input type="radio" name="gender" value="2">Female
```
And we use the following code to validate the input:
```Go
slice:=[]int{1,2}
for _, v := range slice {
@@ -104,32 +104,32 @@ And we use the following code to validate the input:
}
}
return false
```
## Check boxes
Suppose there are some check boxes for user interests, and that you don't want extraneous values here either. You can validate these ase follows:
```html
<input type="checkbox" name="interest" value="football">Football
<input type="checkbox" name="interest" value="basketball">Basketball
<input type="checkbox" name="interest" value="tennis">Tennis
```
In this case, the sanitization is a little bit different to validating the button and check box inputs since here we get a slice from the check boxes.
slice:=[]string{"football","basketball","tennis"}
a:=Slice_diff(r.Form["interest"],slice)
if a == nil{
```Go
slice:=[]string{"football","basketball","tennis"}
a:=Slice_diff(r.Form["interest"],slice)
if a == nil{
return true
}
return false
}
return false
```
## Date and time
Suppose you want users to input valid dates or times. Go has the `time` package for converting year, month and day to their corresponding times. After that, it's easy to check it.
```Go
t := time.Date(2009, time.November, 10, 23, 0, 0, 0, time.UTC)
fmt.Printf("Go launched at %s\n", t.Local())
```
After you have the time, you can use the `time` package for more operations, depending on your needs.
In this section, we've discussed some common methods of validating form data on the server side. I hope that you now understand more about data validation in Go, especially how to use regular expressions to your advantage.

34
en/04.3.md
View File

@@ -16,11 +16,11 @@ So how can we do these two things in Go? Fortunately, the `html/template` packag
- `func HTMLEscaper(args ...interface{}) string` returns a string after escaping from multiple arguments.
Let's change the example in section 4.1:
```Go
fmt.Println("username:", template.HTMLEscapeString(r.Form.Get("username"))) // print at server side
fmt.Println("password:", template.HTMLEscapeString(r.Form.Get("password")))
template.HTMLEscape(w, []byte(r.Form.Get("username"))) // responded to clients
```
If someone tries to input the username as `<script>alert()</script>`, we will see the following content in the browser:
![](images/4.3.escape.png?raw=true)
@@ -28,39 +28,39 @@ If someone tries to input the username as `<script>alert()</script>`, we will se
Figure 4.3 JavaScript after escaped
Functions in the `html/template` package help you to escape all HTML tags. What if you just want to print `<script>alert()</script>` to browsers? You should use `text/template` instead.
```Go
import "text/template"
...
t, err := template.New("foo").Parse(`{{define "T"}}Hello, {{.}}!{{end}}`)
err = t.ExecuteTemplate(out, "T", "<script>alert('you have been pwned')</script>")
```
Output:
Hello, <script>alert('you have been pwned')</script>!
```html
Hello, <script>alert('you have been pwned')</script>!
```
Or you can use the `template.HTML` type :
Variable content will not be escaped if its type is `template.HTML`.
```Go
import "html/template"
...
t, err := template.New("foo").Parse(`{{define "T"}}Hello, {{.}}!{{end}}`)
err = t.ExecuteTemplate(out, "T", template.HTML("<script>alert('you have been pwned')</script>"))
```
Output:
Hello, <script>alert('you have been pwned')</script>!
```html
Hello, <script>alert('you have been pwned')</script>!
```
One more example of escaping:
```Go
import "html/template"
...
t, err := template.New("foo").Parse(`{{define "T"}}Hello, {{.}}!{{end}}`)
err = t.ExecuteTemplate(out, "T", "<script>alert('you have been pwned')</script>")
```
Output:
Hello, &lt;script&gt;alert(&#39;you have been pwned&#39;)&lt;/script&gt;!
```html
Hello, &lt;script&gt;alert(&#39;you have been pwned&#39;)&lt;/script&gt;!
```
## Links
- [Directory](preface.md)

12
en/04.4.md
View File

@@ -5,7 +5,7 @@ I don't know if you've ever seen some blogs or BBS' that have more than one post
The solution is to add a hidden field with a unique token to your form, and to always check this token before processing the incoming data. Also, if you are using Ajax to submit a form, use JavaScript to disable the submit button once the form has been submitted.
Let's improve the example from section 4.2:
```html
<input type="checkbox" name="interest" value="football">Football
<input type="checkbox" name="interest" value="basketball">Basketball
<input type="checkbox" name="interest" value="tennis">Tennis
@@ -13,10 +13,10 @@ Let's improve the example from section 4.2:
Password:<input type="password" name="password">
<input type="hidden" name="token" value="{{.}}">
<input type="submit" value="Login">
```
We use an MD5 hash (time stamp) to generate the token, and added it to both a hidden field on the client side form and a session cookie on the server side (Chapter 6). We can then use this token to check whether or not this form was submitted.
func login(w http.ResponseWriter, r *http.Request) {
```Go
func login(w http.ResponseWriter, r *http.Request) {
fmt.Println("method:", r.Method) // get request method
if r.Method == "GET" {
crutime := time.Now().Unix()
@@ -40,7 +40,9 @@ We use an MD5 hash (time stamp) to generate the token, and added it to both a hi
fmt.Println("password:", template.HTMLEscapeString(r.Form.Get("password")))
template.HTMLEscape(w, []byte(r.Form.Get("username"))) // respond to client
}
}
}
```
![](images/4.4.token.png?raw=true)

8
en/04.5.md
View File

@@ -13,7 +13,7 @@ text/plain Convert spaces to "+", but no transcoding for special characters.
Therefore, the HTML content of a file upload form should look like this:
```
```html
<html>
<head>
<title>Upload file</title>
@@ -31,7 +31,7 @@ Therefore, the HTML content of a file upload form should look like this:
We need to add a function on the server side to handle this form.
```
```Go
http.HandleFunc("/upload", upload)
// upload logic
@@ -78,7 +78,7 @@ We use three steps for uploading files as follows:
The file handler is the `multipart.FileHeader`. It uses the following struct:
```
```Go
type FileHeader struct {
Filename string
Header textproto.MIMEHeader
@@ -94,7 +94,7 @@ Figure 4.5 Print information on server after receiving file.
I showed an example of using a form to a upload a file. We can impersonate a client form to upload files in Go as well.
```
```Go
package main
import (