G¹day Sam & H::T Developers, Let me start by saying thank-you for your work on HTML::Template. Its a module I use very frequently when developing web apps in Perl. In fact, more recently I have been using it for more than web apps, including mail merges and just now parameterising SQL queries. This is what I would like to discuss with you all. :)
My name is Damien and I am currently looking at writing a perl module that is derived (via inheritance) from HTML::Template that is specifically designed for parameterising SQL. My rationale for doing this I¹ll leave to the end of the email. If you are interested and have the time, please have a read and tell me what you think. To achieve this goal, it would be most helpful to add some simple functionality to HTML::Template. I have written this code and attached it to this email as a patch for review and hope that it may be included into the main HTML::Template distribution. My rationale for this change follows. HTML::Template allows certain syntax to be ³escaped² using the escape attribute in <tmpl_var> tags, and also the default_escape option to new(). This syntax escaping is hardcoded into the module and limited to HTML, JS, and URL¹s as I understand. I would like to extend HTML::Template to allow the user to implement their own arbitrary escape functionality. Doing so would provide greater extensibility of HTML::Template into areas beyond its traditional web roots. Yes, including SQL. :) It would also help to address simple one-off problems, such as the one encounted by Alex Teslik or Matt Taylor as per previous threads found in the archives: http://sourceforge.net/mailarchive/message.php?msg_name=20080320022702.M3567 1%40acatysmoof.com http://sourceforge.net/mailarchive/message.php?msg_id=1175524797.11485.1.cam el%40deb-matt.zipper.azi (mind any url wrapping). I am proposing the following changes to the HTML::Template API and template format: . Extend the syntax for <tmpl_var escape=(JS,HTML,URL,NONE,1,0)> to include user provided attribute values. Examples are probably more clear: <tmpl_var name=¹bla¹ escape=php> or in my case <tmpl_var name=¹bla2¹ escape=sql>. . The constructor to take the option ³escape² with the value being a hashref. The keys will be the escape names gives in the templates (e.g. php or sql) and the value a reference to a subroutine that is provided by the user to escape any special meanings to the syntax used in that context. This will be implemented in the same way as the filter option that currently exists in HTML::Template. The template variable value will be passed to the subroutine as a scalarref as is done for filters. Once again, an example (yes a little contrived): ----------------------- my $esc = sub { my $value = shift ; $$value =~ s/\\/\\\\/g ; $$value =~ s/%/\\%/g ; $$value =~ s/_/\\_/g ; $$value =~ s/'/\\'/g; #etc } ; my $t = HTML::Template->new(filename => 'query.sqlt', escape => {sql => $esc}) ; $t->param(surname => ³O'Loughlin²) ; --query.sqlt-- select interest,term from loan where client_surname like '<tmpl_var name=²surname² escape=²sql²>' escape '\\' ; ---------------------------- So Sam, do you have time to include my work into HTML::Template, and do you agree with my approach and rationale for this change? What do you reckon? :) My rationale for creating this perl module is as follows. I know there are other perl solutions to this, but they are mostly based around writing perl to generate SQL, rather than parameterising queries. Often they attempt to abstract the SQL syntax into an API. These approaches while catering to most likelys are still very constraining in terms of the versatility of the SQL. Those that do parameterise queries have unfamiliar syntax or are limited in how they deal with parts of the query being missing and other problems. HTML::Template is very well known in the web programming space in Perl, and SQL and web go hand in hand. So I am thinking it is a shorter leap for developers to use HTML::Template syntax in their queries and then you can leverage more easily some of the more colourful tricks in SQL to get your data, without requiring Perl to crunch it into the required form. Plus, I also plan to add some syntactic sugar in my own module that enhances HTML::Template specifically for writing SQL. To achieve this, I need to be able to do arbitrary escaping of user supplied values. I tried to make this email as short as possible, as I previously said, I¹m sure you are all very busy. If you made it this far, my sincere thanks. :) Regards, Damien Clark.
HTML-Template-escape.patch
Description: Binary data
------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________ Html-template-users mailing list Html-template-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/html-template-users
