bar10der has asked for the wisdom of the Perl Monks concerning the following question:

Hi Monks,

Let me first admit that I am completely new to HT and CA. I have done some of the tutorials available on net and trying to find my feet. I am developing an application where I want to take user input, validate data(I can use JavScript for form validation), display confirmation page and then once user confirms entry put data in database(Oracle). Using html template I am able to create input screen, validate entries using JavaScript and then put data in database. However I am not able to create a confirmation page. There is a dirty way of doing confirmation page (creating another template for it) but i want to know if there is asimple way? Any help reference will be greatly appreciated.

  • Comment on Confirmation page using HTML::Template & CGI::Application

Replies are listed 'Best First'.
Re: Confirmation page using HTML::Template & CGI::Application
by jeffa (Bishop) on Feb 02, 2004 at 14:51 UTC

    First, don't rely on JavaScript alone for form validation. JavaScript validation can be easily bypassed because the server can be accessed directly by bots (and WWW::Mechanize makes the task even easier).

    Personally, i would instead use JavaScript as the confirmation page, because you still have to validate what they confirmed! Personally, i think that confirmation pages are only necessary for the deletion of records. But, having said all of that, here is some HTML::Template code that will display a confirmation page -- the trick is using hidden form fields.

    use strict; use warnings; use CGI; use HTML::Template; my $q = CGI->new; my $tmpl = HTML::Template->new( filehandle => \*DATA, associate => $q, ); print $q->header, $q->start_html; if ($q->param('cmd') eq 'confirm') { print $q->p("the user confirmed"); } else { print $tmpl->output; } __DATA__ <tmpl_if cmd> You submitted: <ol> <li>foo: <tmpl_var foo></li> <li>bar: <tmpl_var bar></li> </ol> You like? <form> <input type="hidden" name="cmd" value="confirm" /> <input type="submit" value="yes" /> </form> <tmpl_else> <form> foo: <input type="text" name="foo" /><br/> bar: <input type="text" name="bar" /><br/> <input type="hidden" name="cmd" value="ask" /> <input type="submit" /> </form> </tmpl_if>


    (the triplet paradiddle with high-hat)
Re: Confirmation page using HTML::Template & CGI::Application
by jdtoronto (Prior) on Feb 02, 2004 at 15:33 UTC
    There are a couple of ways to do this, I prefer to do the validation using CGI::Application::ValidateRM this can 'shadow, the javascript validation on the original form. But as jeffa says, NEVER EVER rely on Javascript, it is too easily hacked or bypassed. Following ValidateRM you can do one of two things. If the form does not validate, then ValidateRM will feed all the oroiginal values plus the error messages back to the original run-mode.

    Once the form is validated you can either use the valid results from the returned object via the -valid() method of ValidateRM, or use the param() method of the CGI query to reload the form and send it back.

    Confirmation is problematic - it is, in our frame of reference, a totally new form input. The form or the javascript can easily be hacked. Even using js and/or hidden values is of little use in ensuring the data is not changed.

    My solution? Take the first form when it all validates, write it to the database with an 'unconfirmed' flag set. When the user confirms, clear the flag. If the user does not confirm then delete the data. Alternatively, write the hash of data to a session record, using something like CGI::Session and when it is confirmed, write it to the database.

    How do I handle the checking of the confirmation. Persoanlly I write the form data to the session record. When the user confirms I comapre the two hashes and only if all fields remain validated and unchanged does the data get written to the database. It can all be done with one template, it is all in how you handle the data.

    To see the CGI::Application::ValidateRM module in action see this tutorial by the modules maintainer markjugg.


Re: Confirmation page using HTML::Template & CGI::Application
by bradcathey (Prior) on Feb 02, 2004 at 16:23 UTC
    Excellent points by jeffa and jdtoronto that will be helpful in my own work. Two additional points:

    1. True, Javascript is not to be trusted, and I always validate in my Perl script (as a function of untainting input). However, I still occassionally use JS to validate on the client side (if they have it turned on and aren't trying to crack it) as a preliminary filter because it's fast, no delay, no tapping of the server, no screen refresh. Double-coding? Yes. But it might make things more convenient for the average surfer. Just something to keep in mind.

    2. If you are rolling your own confirmation page, and using H::T, consider the handy associate setting, which populates your template with the original data (I learned this from jeffa's helpful H::T tutorial):
    my $query = new CGI; my $name = $query->param('name'); my $address = $query->param('address'); my $city = $query->param('city'); my $zip = $query->param('zip'); my $template = HTML::Template->new(filename => '../confirmation.tmpl', associate => $query, die_on_bad_params => 0);

    "A little yeast leavens the whole dough."
      Good thoughts bradcathey.

      A wonderful example of double-coding, and a useful module ofr simple form manipulation is CGI::FormBuilder from Nate Wiger. This handly module generates JavaScript validation code that you can put in the form directly, or using HTML::Template.

      In fact Nate has a family of simple modules that work very well together including SQL::Abstract and HTML::QuickTable. I often use these for truly quick and dirty testing stuff or intranet goodies that will never go past the firewall.


Re: Confirmation page using HTML::Template & CGI::Application
by bar10der (Beadle) on Feb 05, 2004 at 10:39 UTC
    Hi All, Thanks for all your help and suggestions and I am able to do my confirmation page...associate option in H::T is really great. As for validation, I have decided to use validateRM, though I am finding it bit tough as its completely new concept to me but better to learn it! Thanks again to all of you for your help.