[Gambas-user] gambas3 webform crud example.

Matias De lellis mati86dl at gmail.com
Fri Sep 13 03:17:40 CEST 2019 

Hi Benoît,

Thank you for answering me.
Continuous between the lines, I hope that the mail does not become very
long..

El jue., 12 sept. 2019 a las 19:40, Benoît Minisini (<g4mba5 at gmail.com>)
escribió:

> Le 10/09/2019 à 17:09, Matias De lellis a écrit :
> > Hi all,
> >
> > As I comment in an previous email, the idea is make a pagekite
> > administration page, and I assumed that Gambas webform is a good
> > candidate. So, I started writing an example to internalize with him,
> > and I am very happy. =)
> >
> > I share a complete example of CRUD handling users. *
> > https://github.com/matiasdelellis/gambas3-crud-example *
> >
> https://github.com/matiasdelellis/gambas3-crud-example/releases/download/v0.1.1/WebformCrudExample-0.1.1.tar.gz
> >
> >  The intial class is WebformLogin -Everything starts from there-, but
> >  there is a WebFormInstall that must be called once to build the
> > database.
> >
> > Based on this experience I ask some questions:
> >
> > 1. The type of database, name, etc, is fixed/hardcoded, but I would
> > like it to be configurable in WebFormInstall. Do you have any
> > suggestions? It must be written by WebformIntall and taked
> > automatically by WebDatabase.
>
> Store that in a configuration file using 'gb.settings'?
>

Wow .. I spent long time thinking about environment variables, etc.,
and never thought about it. Great!


> > 1.1. This is annoying, but I ask you to do a quick look at the
> > WebDatabase.module to see if you believe it is well done, in
> > particular if they it is transparent to interact with the rest of the
> > classes, and if security consideration -AdminOrOwnRequired() and
> > AdminRequired subrutines- to admin task is sufficient.
> >
>
> As soon as you use the substitution methods to forge your requests, you
> should not have any problem of SQL injection.
>
> You use exceptions (Error.Raise) to check administrator rights. It's
> usually not a good idea. You should use return values, and keep
> exceptions for... exceptional things like errors.
>
> Another detail: you don't need to end your request strings with ';'.
>
> And you should explain on the pages how many characters are required in
> logins and passwords. Otherwise people have to read your code to know.
>

Okay .. It all makes sense.


> > 2. The values of inputs, positions, active WebForm, are all saved in
> >  Session, which is interesting, but these are accessible with the
> > inspector,
>
> Inspector? What are you talking about?
>

Sorry.. Originally I thought I could find the passwords inside the html, but
it clearly doesn't happen.

> and a GET is emited with that data every time the focus
> > changes between the inputs. This is a local security problem that
> > would be good to improve.
>
> What do you suggest? What is the problem with sending to the server the
> contents of text fields?
>

Well, The only problem is that it is a GET, therefore the password is sent
within the url, and would be accessible by anyone who manages the network.

Taking into account that now is easy to obtain legal ssl certificates, I
guess
this is paranoid. But if the password is saved by the browser, just by
clicking
on the filled in inputs, a GET is emited, where passwords are observed.
Again,
paranoid, haha. IMHO It's something to improve, but of course with a very
low priority.

> 3. Related, upon requesting the page again, (Pressing F5), I would
> > expect this data to be cleaned, but I always get the previous data. I
> > can't abandon the session, due the active WebForm is saved there
> > too.
>
> I don't understand what you are talking about. Of course F5 does not
> clear the data. As everything is stored on the server, everything is
> refreshed on F5. What's the problem?
>

Well, on a login page I would expect not to save it.
I guess I should do it by code, and clean this inputs when reload the page.
Maybe could add a property to do this automatically?


> > 4. How to reuse js components?. In this example I use toastify to
> > show a simple notification.
> >
> >> Webform.AddJavascriptFile("toastify.js")
> >
> > It add the script from 'data' folder. Shouldn't it be in public?
>
> It's not needed, as the file is not directly sent to the client.
>
> All javascript files added by Webform.AddJavascriptFile() are
> concatenated and sent in one request to the client. The request is
> inserted in all HTML pages generated by 'gb.web.form' through a <script>
> markup in the <head> of the page.
>
> >
> > There is no equivalent for css?. The only way I found is to add
> > style.css file in public foloder to extend the default styles.
> >
>
> Yes, this is the only file supported by default. I could add the same
> mechanism that I made for javascript files. But you usually have several
> javascript files (so that you can separate your code), and only one
> stylesheet file. I was just lazy.
>

Ok.. I almost proposed a pull request to add it, but since I discovered how
work and it seemed logical, I didn't send it. Maybe just need to document it
a bit.


> >> WebForm._AddJavascript("Toastify({text: \'" & ("Done") & "\',
> > gravity: \'bottom\', close: true }).showToast();")
> >
> > This is correct to execute JS code?
>
> No, you must not call methods beginning with "_"!
>
> They are not part of the public interface, often don't do what you think
> they do, and can change at any moment.
>
> You can use the "Render" event to insert your own HTML (and so
> javascript) in a page.
>

This is the only thing that is hard for me to understand.
Do you suggest me that need to write the <botton> by hand, and write
everything inside the onclick ()?. IMHO, It loses much of the grace of
working inside the server, since it would force me to validate within the
js, and it would be difficult for call a simple function.

I imagined something like WebTimer, but it always results in calling this
private function..


> > 5. How to publish the project?
> >
> >> GB_HTTPD_PORT=8080 gbx3 -H
> >
> > ...and an Apache reverse proxy form url to 8080 port?
>
> No, this is just for debugging.
>
> Make an executable. That executable is a CGI script that you must put in
> the suitable directories using the suitable configuration of your web
> server.
>

I never work with CGI scripts. I'm going to investigate it better, and then
try
to document everything,


> > I have many more doubts, but I guess this is enough for a first
> > consultation.. :sweet_smiley:
> >
> > Of course, thank you very much for all the development, and any
> > response..
> >
> > Ragards, Matias.
> >
>
> You're welcome.
>
> Regards,
>
>
>
> --
> Benoît Minisini
>
> ----[ Gambas mailing-list is hosted by https://www.hostsharing.net ]----
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gambas-basic.org/pipermail/user/attachments/20190912/32d41d1d/attachment-0001.html>

More information about the User mailing list