Note that the SQL subcommands, including the letters"sql"are case sensitive, unlike HTML which is not case sensitive.
Unless specified otherwise, the % substitutionsare performed on the contents of the SQL subcommand before the contentsare examined, and SQL subcommands are of the form:
Different DBMSs may recognise different names in each of the SQLsubcommands. If a name is used in a subcommand which is not recognisedby the DBMS in use, the name will be silently ignored.
The valarg subcommand tests the validity of the listedargument, and the valform subcommand tests the validityof the listed form variable.
The most significant use of these subcommands is to ensure that malicioususers don't put in unexpected SQL syntax to cause the SQL to divulgesensitive information or to change the wrong information. They can be usedanywhere in a dbCGI file, and they cause the remainder of the file to beignored if the validation fails.
Formatting escapes are not interpreted within the validation subcommands,except within the FORMAT name, where they are interpreted when the messageis displayed.
The argument validation names are:
The CLASS name specifies a basic datatype thatthe value being validated must adhere to. Class names are case sensitive.Unrecognised class names are ignored. There are three classes:
The numeric class may have a leading "+" or"-", a series of digits, a".", and a second series of digits. Any partmay be missing, so all of the following are valid:
Tabbedtext is like plaintext, but the horizontal tab character is permitted.
The MAXCHARS name specifies the maximum number of characterspermitted in the value.
Example:
The MINCHARS name specifies the minimum number of charactersrequired in the value.
Example:
The FORBIDDEN name presents a list of characters whichshould cause the value to be rejected if any one of the characters appearsin the value. You can use normal text or the C escapes '\n'(the new line character), '\r' (the carriage return character),'\b' (The backspace character), '\t'(the tab character), '\\' (The backslash character), and'\nnn' where nnn isa three digit octal number representing the value of the character.The following example rejects the letters a,b, c, the new line character and the escapecharacter (character 27, or 033 in octal).
The RANGE name is the reverse of the FORBIDDENname. Thus "RANGE=abc\n\033" would cause anything containingcharacters other than the letters a,b, c, the new line character and the escapecharacter to be rejected.
The FORMAT name specifies how the error message thatshould be displayed if an value fails validation. If the string"%v"appears in this value, it will be replaced with the actual value thatfailed validation. If this name is omitted, a default is used.
You must use the init subcommand before you can usethe connect subcommand.
All names are taken to be the name of an environment variable to set.It is not possible to give a complete list of valid environment variableshere, because different versions of Informix can require differentenvironment variables, but the following example is for Informix Onlineversion 4:
All names are taken to be the name of an environment variable to set.
Example:
ODBC does not recognise any names in the init section.
The names ORACLE_HOME, ORACLE_SID andTWO_TASK are valid, and correspond the the environmentvariables of the same names:
The following names are valid for Progress:
Example:
The only name recognised for Sybase is SYBASE,which specifies the location of the Sybase directory (the directory containingthe interfaces file.
Example:
You must use init before you can use connect. Likeinit, the names valid for connect vary depending onthe database.
The only name recognised for Informix is DATABASE, whichgives the name of the database to connect to. Note that informix can onlyhave one active connection at a time - you must use disconnectbefore a second use of connect.
Example:
The only name recognised for Ingres is DATABASE, whichgives the name of the database to connect to. Note that Ingres can onlyhave one active connection at a time - you must use disconnectbefore a second use of connect.
Example:
ODBC recognises the following names:
Example:
Oracle recognises the following names:
Non SQL*NET example:
Progress recognises only one name - CONNSTR,which specifies the connection string (arguments to the ProgressCONNECT command). You must assign a logical database name inthe connection string. In the example below, the logical databasename is demodb.
Example:
Sybase recognises the following names:
Example:
The error subcommand allows you to specify the formatfor error output. All error messages generated after this subcommand isprocessed will be displayed in the new format. If this subcommand is notused, a default format will be used.
The % substitutions are not performed on the contentsof the error subcommand until the error is produced.Typically you will use %e, %c and%n to include the error text, the SQL command andthe error number causing the error.
The error subcommand does not have names - its contentsare used "as is" for the formatting of errors.
Example: display the errors under the heading 'SQL Error'with the SQL command in strong text, followed by the error text, andthe error number.
The % substitutions are not performed on the contentsof the headings subcommand until the headings areproduced.
The headings subcommand affects all querysubcommands until the next headings subcommand.
Example: Display the heading 'The results of the query are asfollows', followed by the names of the first, second and thirdcolumns separated by commas.
The % substitutions are not performed on the contentsof the format subcommand until the output records areproduced.
The format subcommand affects all querysubcommands until the next format subcommand.
Example: Display the first three columns from a query, with the first columnbeing presented as a heading, but only if it has changed since the previousrecord, and display a colon between the second and third column if the valueof the third column is not null.
The execute subcommand is used to submit an SQL commandwhich is not expected to return any records, such as SET, UPDATE, INSERT,DELETE, or CREATE TABLE - in fact almost anything except SELECT and somestored procedures.
If you use any arguments or form values you should be sure to validate thembefore executing the SQL. For example, in the SQL below, you would need toensure that argument 3 was in the numeric class, as the implications ofargument 3 being, say '1000, bank_account = 1234567, amount_overpaid = 10000000'may be dangerous.
Example:
The query subcommand is used to submit an SQL commandwhich is expected to return records, such as SELECT and some storedprocedures. If the query is successfully executed, the headingswill be output once, followed by the format for eachrecord resulting from the query.
If you use any arguments or form values you should be sure to validate thembefore executing the SQL. For example, in the SQL below, you would need toensure that argument 1 was in the numeric class, or the user could see detailsfor all customers by setting argument 1 to '1 OR 2<>1'
Example:
The disconnect subcommand is used to disconnect from adatabase which was connected by a previous connectsubcommand. After the disconnect subcommand you can no longerissue execute and query subcommands againstthe named connection ID.
Only Progress recognises a name in the disconnectsubcommand - DATABASE, which specifies the logicaldatabase name to disconnect.
Example for everything but Progress:
Example: