[Gambas-user] gambas3 webform crud example.

Benoît Minisini g4mba5 at gmail.com
Fri Sep 13 00:39:33 CEST 2019 

Le 10/09/2019 à 17:09, Matias De lellis a écrit :
> Hi all,
> 
> As I comment in an previous email, the idea is make a pagekite 
> administration page, and I assumed that Gambas webform is a good
> candidate. So, I started writing an example to internalize with him,
> and I am very happy. =)
> 
> I share a complete example of CRUD handling users. *
> https://github.com/matiasdelellis/gambas3-crud-example * 
> https://github.com/matiasdelellis/gambas3-crud-example/releases/download/v0.1.1/WebformCrudExample-0.1.1.tar.gz
>
>  The intial class is WebformLogin -Everything starts from there-, but
>  there is a WebFormInstall that must be called once to build the
> database.
> 
> Based on this experience I ask some questions:
> 
> 1. The type of database, name, etc, is fixed/hardcoded, but I would
> like it to be configurable in WebFormInstall. Do you have any
> suggestions? It must be written by WebformIntall and taked
> automatically by WebDatabase.

Store that in a configuration file using 'gb.settings'?

> 
> 1.1. This is annoying, but I ask you to do a quick look at the 
> WebDatabase.module to see if you believe it is well done, in
> particular if they it is transparent to interact with the rest of the
> classes, and if security consideration -AdminOrOwnRequired() and
> AdminRequired subrutines- to admin task is sufficient.
> 

As soon as you use the substitution methods to forge your requests, you 
should not have any problem of SQL injection.

You use exceptions (Error.Raise) to check administrator rights. It's 
usually not a good idea. You should use return values, and keep 
exceptions for... exceptional things like errors.

Another detail: you don't need to end your request strings with ';'.

And you should explain on the pages how many characters are required in 
logins and passwords. Otherwise people have to read your code to know.

> 2. The values of inputs, positions, active WebForm, are all saved in
>  Session, which is interesting, but these are accessible with the
> inspector,

Inspector? What are you talking about?

> and a GET is emited with that data every time the focus
> changes between the inputs. This is a local security problem that
> would be good to improve.

What do you suggest? What is the problem with sending to the server the 
contents of text fields?

> 
> 3. Related, upon requesting the page again, (Pressing F5), I would 
> expect this data to be cleaned, but I always get the previous data. I
> can't abandon the session, due the active WebForm is saved there
> too.

I don't understand what you are talking about. Of course F5 does not 
clear the data. As everything is stored on the server, everything is 
refreshed on F5. What's the problem?

> 
> 4. How to reuse js components?. In this example I use toastify to
> show a simple notification.
> 
>> Webform.AddJavascriptFile("toastify.js")
> 
> It add the script from 'data' folder. Shouldn't it be in public?

It's not needed, as the file is not directly sent to the client.

All javascript files added by Webform.AddJavascriptFile() are 
concatenated and sent in one request to the client. The request is 
inserted in all HTML pages generated by 'gb.web.form' through a <script> 
markup in the <head> of the page.

> 
> There is no equivalent for css?. The only way I found is to add 
> style.css file in public foloder to extend the default styles.
> 

Yes, this is the only file supported by default. I could add the same 
mechanism that I made for javascript files. But you usually have several 
javascript files (so that you can separate your code), and only one 
stylesheet file. I was just lazy.

>> WebForm._AddJavascript("Toastify({text: \'" & ("Done") & "\',
> gravity: \'bottom\', close: true }).showToast();")
> 
> This is correct to execute JS code?

No, you must not call methods beginning with "_"!

They are not part of the public interface, often don't do what you think 
they do, and can change at any moment.

You can use the "Render" event to insert your own HTML (and so 
javascript) in a page.

> 
> 5. How to publish the project?
> 
>> GB_HTTPD_PORT=8080 gbx3 -H
> 
> ...and an Apache reverse proxy form url to 8080 port?

No, this is just for debugging.

Make an executable. That executable is a CGI script that you must put in 
the suitable directories using the suitable configuration of your web 
server.

> 
> I have many more doubts, but I guess this is enough for a first 
> consultation.. :sweet_smiley:
> 
> Of course, thank you very much for all the development, and any
> response..
> 
> Ragards, Matias.
> 

You're welcome.

Regards,



-- 
Benoît Minisini

More information about the User mailing list