Figure 15-23. Response page for “All” languages choice
Checking for Missing and Invalid Inputs
So far, we’ve been triggering the CGI script by selecting a language name from the pull-
down list in the main HTML page. In this context, we can be fairly sure that the script
will receive valid inputs. Notice, though, that there is nothing to prevent a client from
passing the requested language name at the end of the CGI script’s URL as an explicit
query parameter, instead of using the HTML page form. For instance, a URL of the
following kind typed into a browser’s address field or submitted with the module
urllib.request:
http://localhost/cgi-bin/languages.py?language=Pythonyields the same “Python” response page shown in Figure 15-22. However, because it’s
always possible for a user to bypass the HTML file and use an explicit URL, a user could
invoke our script with an unknown language name, one that is not in the HTML file’s
pull-down list (and so not in our script’s table). In fact, the script might be triggered
with no language input at all if someone explicitly submits its URL with no language
parameter (or no parameter value) at the end. Such an erroneous URL could be entered
into a browser’s address field or be sent by another script using the urllib.request
module techniques described earlier in this chapter. For instance, valid requests work
normally:
1190 | Chapter 15: Server-Side Scripting