diff --git a/en/eBook/04.2.md b/en/eBook/04.2.md index 21a2c157..291e4657 100644 --- a/en/eBook/04.2.md +++ b/en/eBook/04.2.md @@ -1,22 +1,22 @@ # 4.2 Verification of inputs -The most important principle in web development is that you cannot trust anything from user form, you have to verify all data before use them. You may know many websites are invaded by this problem which is simple but crucial. +One of the most important principles in web development is that you cannot trust anything from client side user forms. You have to verify all incoming data before use it. Many websites are affected by this problem, which is simple yet crucial. -There are two ways to verify form data that commonly used, the one is JavaScript verification in front-end, and another one is server verification in back-end. In this section, we are going to talk about the server verification in web development. +There are two ways of verify form data that are commonly used. One is JavaScript verification in the front-end, and the other is server verification in the back-end. In this section, we are going to talk about server side verification in web development. ## Required fields -Sometimes you ask users to input some fields but they don't, for example we need user name in previous section. You can use function `len` to get length of field to make sure users input this information. +Sometimes we require that users input some fields but they don't, for example in the previous section when we required a username. You can use the `len` function to get the length of a field in order to ensure that users have entered this information. if len(r.Form["username"][0])==0{ // code for empty field } -`r.Form` uses different treatments of different types of form elements when they are blanks. For empty text box, text area and file upload, it returns empty string; for radio button and check box, it doesn't even create corresponding items, and you will get errors if you try to access it. Therefore, we'd better use `r.Form.Get()` to get filed values because it always returns empty if the value does not exist. On the other hand, `r.Form.Get()` can only get one field value every time, so you need to use `r.Form` to get values in map. +`r.Form` treats different form element types differently when they are blank. For empty textboxes, text areas and file uploads, it returns an empty string; for radio buttons and check boxes, it doesn't even create the corresponding items. Instead, you will get errors if you try to access it. Therefore, it's safer to use `r.Form.Get()` to get filed values since it will always return empty if the value does not exist. On the other hand, `r.Form.Get()` can only get one field value at a time, so you need to use `r.Form` to get the map of values. ## Numbers -Sometimes you only need numbers for the field value. For example, you need age of users, like 50 or 10, instead of "old enough" or "young man". If we need positive numbers, we can convert to `int` type first and process them. +Sometimes you only need numbers for the field value. For example, let's say that you require the age of a user in integer form only, i.e 50 or 10, instead of "old enough" or "young man". If we require a positive number, we can convert the value to the `int` type first, then process it. getint,err:=strconv.Atoi(r.Form.Get("age")) if err!=nil{ @@ -28,17 +28,17 @@ Sometimes you only need numbers for the field value. For example, you need age o // too big } -Another way to do this is using regular expression. +Another way to do this is using regular expressions. if m, _ := regexp.MatchString("^[0-9]+$", r.Form.Get("age")); !m { return false } -For high performance purpose, regular expression is not an efficient way, but simple regular expression is fast enough. If you know regular expression before, you should it's a very convenient way to verify data. Notice that Go uses [RE2](http://code.google.com/p/re2/wiki/Syntax), all UTF-8 characters are supported. +For high performance purposes, regular expressions are not efficient, however simple regular expressions are usually fast enough. If you are familiar with regular expressions, it's a very convenient way to verify data. Notice that Go uses [RE2](http://code.google.com/p/re2/wiki/Syntax), so all UTF-8 characters are supported. ## Chinese -Sometimes we need users to input their Chinese name, we have to verify they use all Chinese rather than random characters. For Chinese verification, regular expression is the only way. +Sometimes we need users to input their Chinese names and we have to verify that they all use Chinese rather than random characters. For Chinese verification, regular expressions are the only way. if m, _ := regexp.MatchString("^[\\x{4e00}-\\x{9fa5}]+$", r.Form.Get("realname")); !m { return false @@ -46,7 +46,7 @@ Sometimes we need users to input their Chinese name, we have to verify they use ## English letters -Sometimes we need users to input English letters. For example, we need someone's English name, like astaxie instead of astač°˘. We can easily use regular expression to do verification. +Sometimes we need users to input only English letters. For example, we require someone's English name, like astaxie instead of astač°˘. We can easily use regular expressions to perform our verification. if m, _ := regexp.MatchString("^[a-zA-Z]+$", r.Form.Get("engname")); !m { return false @@ -54,7 +54,7 @@ Sometimes we need users to input English letters. For example, we need someone's ## E-mail address -If you want to know if users input valid E-mail address, you can use following regular expression: +If you want to know whether users have entered valid E-mail addresses, you can use the following regular expression: if m, _ := regexp.MatchString(`^([\w\.\_]{2,10})@(\w{1,}).([a-z]{2,4})$`, r.Form.Get("email")); !m { fmt.Println("no") @@ -64,19 +64,19 @@ If you want to know if users input valid E-mail address, you can use following r ## Drop down list -When we need item in our drop down list, but we get some values that are made by hackers, how can we prevent it? +Let's say we require an item from our drop down list, but instead we get a value fabricated by hackers. How do we prevent this from happening? -Suppose we have following ``: -Then, we use following way to verify: +We can use the following strategy to sanitize our input: - slice:=[]string{"apple","pear","banane"} + slice:=[]string{"apple","pear","banana"} for _, v := range slice { if v == r.Form.Get("fruit") { @@ -85,16 +85,16 @@ Then, we use following way to verify: } return false -All functions I showed above are in my open source project for operating slice and map: [https://github.com/astaxie/beeku](https://github.com/astaxie/beeku) +All the functions I've shown above are in my open source project for operating on slices and maps: [https://github.com/astaxie/beeku](https://github.com/astaxie/beeku) ## Radio buttons -If we want to know the user is male or female, we may use a radio button, return 1 for male and 2 for female. However, there is a little boy is reading book about HTTP, and send to you 3, will your program have exception? So we need to use same way for drop down list to make sure all values are expected. +If we want to know whether the user is male or female, we may use a radio button, returning 1 for male and 2 for female. However, some little kid who just read his first book on HTTP, decides to send to you a 3. Will your program have have exception? As you can see, we need to use the same method as we did for our drop down list to make sure that only expected values are returned by our radio button. Male Female -And we use following code to do verification: +And we use following code to verify the input: slice:=[]int{1,2} @@ -107,13 +107,13 @@ And we use following code to do verification: ## Check boxes -Suppose there are some check boxes for users' interests, and you don't want extra values as well. +Suppose there are some check boxes for user interests, and that you don't want extraneous values here either. Football Basketball Tennis -Here is a little bit different in verification between radio buttons and check boxes because we get a slice from check boxes. +In this case, the sanitization is a little bit different than verifying the button and check box inputs since here we get a slice from the check boxes. slice:=[]string{"football","basketball","tennis"} a:=Slice_diff(r.Form["interest"],slice) @@ -125,14 +125,14 @@ Here is a little bit different in verification between radio buttons and check b ## Date and time -Suppose you want to make users input valid date or time. Go has package `time` to convert year, month, day to corresponding time, then it's easy to check it. +Suppose you want users to input valid dates or times. Go has the `time` package for converting year, month and day to their corresponding times. After that, it's easy to check it. t := time.Date(2009, time.November, 10, 23, 0, 0, 0, time.UTC) fmt.Printf("Go launched at %s\n", t.Local()) -After you had time, you can use package `time` for more operations depend on your purposes. +After you have the time, you can use the `time` package for more operations, depending on your needs. -We talked about some common form data verification in server side, I hope you understand more about data verification in Go, especially how to use regular expression. +In this section, we've discussed some common methods for verifying form data server side. I hope that you now understand more about data verification in Go, especially how to use regular expressions to your advantage. ## Links