First, don't rely on JavaScript alone for form validation. JavaScript validation can be easily bypassed because the server can be accessed directly by bots (and WWW::Mechanize makes the task even easier).

Personally, i would instead use JavaScript as the confirmation page, because you still have to validate what they confirmed! Personally, i think that confirmation pages are only necessary for the deletion of records. But, having said all of that, here is some HTML::Template code that will display a confirmation page -- the trick is using hidden form fields.

use strict;
use warnings;

use CGI;
use HTML::Template;

my $q    = CGI->new;
my $tmpl = HTML::Template->new(
   filehandle => \*DATA,
   associate  => $q,
);

print $q->header, $q->start_html;

if ($q->param('cmd') eq 'confirm') {
   print $q->p("the user confirmed");
}
else {
   print $tmpl->output;
}

__DATA__
<tmpl_if cmd>
   You submitted:
   <ol>
      <li>foo: <tmpl_var foo></li>
      <li>bar: <tmpl_var bar></li>
   </ol>
   You like?
   <form>
   <input type="hidden" name="cmd" value="confirm" />
   <input type="submit" value="yes" />
   </form>
<tmpl_else>
   <form>
   foo: <input type="text" name="foo" /><br/>
   bar: <input type="text" name="bar" /><br/>
   <input type="hidden" name="cmd" value="ask" />
   <input type="submit" />
   </form>
</tmpl_if>
[download]

L-LL-L--L-LL-L--L-LL-L--
-R--R-RR-R--R-RR-R--R-RR
B--B--B--B--B--B--B--B--
H---H---H---H---H---H---
(the triplet paradiddle with high-hat)

Once the form is validated you can either use the valid results from the returned object via the -valid() method of ValidateRM, or use the param() method of the CGI query to reload the form and send it back.

Confirmation is problematic - it is, in our frame of reference, a totally new form input. The form or the javascript can easily be hacked. Even using js and/or hidden values is of little use in ensuring the data is not changed.

My solution? Take the first form when it all validates, write it to the database with an 'unconfirmed' flag set. When the user confirms, clear the flag. If the user does not confirm then delete the data. Alternatively, write the hash of data to a session record, using something like CGI::Session and when it is confirmed, write it to the database.

How do I handle the checking of the confirmation. Persoanlly I write the form data to the session record. When the user confirms I comapre the two hashes and only if all fields remain validated and unchanged does the data get written to the database. It can all be done with one template, it is all in how you handle the data.

To see the CGI::Application::ValidateRM module in action see this tutorial by the modules maintainer markjugg.

jdtoronto

my $query = new CGI;
my $name = $query->param('name');
my $address = $query->param('address');
my $city = $query->param('city');
my $zip = $query->param('zip');

my $template = HTML::Template->new(filename => 
        '../confirmation.tmpl',
        associate => $query,
        die_on_bad_params => 0);
[download]

Good thoughts bradcathey.

A wonderful example of double-coding, and a useful module ofr simple form manipulation is CGI::FormBuilder from Nate Wiger. This handly module generates JavaScript validation code that you can put in the form directly, or using HTML::Template.

In fact Nate has a family of simple modules that work very well together including SQL::Abstract and HTML::QuickTable. I often use these for truly quick and dirty testing stuff or intranet goodies that will never go past the firewall.

jdtoronto