World: r4wp

Any one knows how can we save value from the form into database?
 - sure, Pekr told you how to do it.


Your problem is that you do not do what Pekr told you to do. First, 
you need to create the form. Check: Do you really have the form?

Second, you need to create a CGI script (this is not the form from 
the first point, the form from the first point is not a CGI script). 
Check: do you really have a CGI script ?


Pekr told you that the example you posted was neither the form, nor 
the CGI script.

One more note: your problem is much more elementary than handling 
the database. Before writing data to the database you need to have 
a script accepting (decoding) the data obtained from the form.

Ladislav - thank you. It is apparent, that what afsanehsamim is missing 
is the basic knowledge of how webserver stuff works between the client 
and the server. Examples at rebol.com are pretty straightforward. 
The only chance is to really create a simple example for him ...

Create 2 files. Call the first one e.g. cgi-test.html, and upload 
it to your server. The only thing you have to change is the link 
to your .cgi script in there:

<HTML>
<TITLE>Simple Web Form</TITLE>
<BODY>
<b>Simple Web Form</b><p>
<FORM ACTION="http://www.xidys.com/cgi-bin/cgi-test.cgi">
<INPUT TYPE="TEXT" NAME="Field" SIZE="25"><BR>
<INPUT TYPE="SUBMIT" NAME="Submit" VALUE="Submit">
</FORM>
</BODY>
</HTML>



Create a second file, called cgi-test.cgi (it has to align to how 
you name it in the above source file). Upload it to your cgi working 
directory. Remember to change the first line to contain the path, 
where your REBOL executable is placed:

#!/usr/local/bin/rebcmd -sqc

REBOL []

print join "Content-type: text/plain" newline
start: now/time/precise

submitted: decode-cgi read-cgi
values: construct submitted

prin "Submitted: " print mold submitted
prin "values: " print mold values
prin "values/field: " print mold values/field

print now/time/precise - start
print newline
 

Now go to your URL, and try to submit some values. You can test it 
on my site at: http://www.xidys.com/cgi-test.html

but afsa, honestly - it does not even belong to the database group, 
but to Rebol School group - you seem to miss the basic understanding, 
of how CGI works on the server. Your problem is not in getting the 
value into DB, but handling CGI stuff in general. In above example, 
what you would put into your DB would be values/field ...

Thankyou so much ladislav and Pekr ... guys i  underestand whatever 
you said ... Pekr : you meant i should first decode values after 
that should values save in database? i have two files and both work 
properly! one html and another one is cgi ! i did your codes as well 
... now plz tell me what is the next step ?  As i told you before 
i should save value in database  ,it is one part of my project !!!! 
:(  i did this link  http://www.rebol.com/docs/cgi2.html#section-2
and i underestood ...    http://www.rebol.com/docs/cgi2.html#section-2http://www.rebol.com/docs/cgi2.html#section-2

plz tell me decoding value is not related to saving data ?

then how can i save values ?

do you mean saving result to a file?
it is just a block, you can simple SAVE %file.r RESULT

no ...i mean saving values into database .

use a normal INSERT query.
insert db-port "INSERT INTO table (colA, colB) VALUES (1,2)" 
or 

insert db-port ["INSERT INTO table (colA, colB) VALUES (?,?)" 1 2]

Endo  values should get from form ,it is a big problem till now that 
no one could underestand ...

i did that query before but it is not working

how does it matter where the values come from? it is a totally different 
issue.
try reading
http://www.rebol.com/docs/cgi1.html
http://www.rebol.com/docs/cgi2.html
http://www.rebol.com/docs/cgi-bbs.html

@Pekr: could you tell me after decoding values what is the next step?

i decoded my values which i got from the form! my cgi and html are 
working ,plz tell me what should i do?

afsa, did you succesfull echo back the decoded form values to the 
browser andreas told you before?

if so, you have to add your mysql connection parameters to your script., 
open a mysql port and do an sql insert to your table.

yes TomBon ,i did it ... but there are no values in my database.

can you post your insert command here?

insert db ["insert into data1(oneone,onetwo,onethree,twoone,twothree,threeone,threetwo,threethree) 
values(?,?,?,?,?,?,?,?)" ]

i know it dose not have any value

i do not know what should i write

You are missing the actual values to insert. Put those in the block 
after the SQL string.

yes, I see. parameterized inserts are ok but perhaps better make 
a rejoin.

insert db ["insert into sql-tablename (sql-fieldname) values (?)" 
cgi-values/cgi-fieldname]

afsa, the last one from andreas is fine.

TomBon, don't encourage people to use rejoin for SQL queries. Definitely 
use parameterized queries. Building your own queries with rejoin 
is a sure recipe for SQL injection.

i suggest to get the html+cgi echoing working first, then getting 
a minimal script that inserts a value into your database working, 
and then putting the two pieces together by extending your "echo" 
cgi to insert into the database

brian, made this for year without any problems. also good for beginners.

checking for proper values and a corerct sql syntax should be always 
done even when parameterized.

Nice to hear, TomBon. Nonetheless, such checking is exactly what 
parameterized queries do, and I often have to fix errors made by 
other developers who don't use them. Plus, parameterized queries 
are a lot quicker on most databases because the query plan gets cached.

It is always a bad idea to suggest to newbie programmers that they 
not use parameterized queries.

well better first to make him clear whats going up, then make the 
final.
I think he is confused by this examples.

btw, how parameterized queries preventing sql injection if not serverside?

Non-parameterized queries are an advanced topic for experienced developers, 
though also the subject of the worst coding horror stories :)

well, well :)

but let's first try to help afsan, if his script is running he can 
improve it.

guys ...i am happy :) it is working... tnx a lot  Andreas ...

thank you TomBon and BrianH

nice, good luck with your crossword afsan...

With parameterized queries (even in REBOL) the SQL and the parameters 
are sent separately and combined in the server. The query plan is 
generated only once per query, with the parameter placeholders being 
in the plan. Then the actual parameters are plugged into the plan. 
The next time the parameterized query is called (maybe with differe3nt 
parameter values) the same plan is used and the new parameter values 
are plugged in.

isn't this execution optimation?. in this case a stored procedure 
will help also. how will this prevent from sql injection? compared 
to a concatenated server side sql string?

If you build a query dynamically with rejoin or something, the query 
is put together client side and then the server has to generate a 
new query plan for each distinct set of parameter values. This takes 
time and blows the query plan cache, which slows down the whole query 
process.

The problem is that your ad-hoc parameter screening is usually not 
perfect. Parameterized queries don't build a query in the server, 
they just plug in the values to an already-compiled query (the "query 
plan"). The server doesn't have to do any parameter screening other 
than for malformed values in the protocol.

depends on the needs. I always try to detach the data sink from input 
logic. this way you can change your db backend very easy but of course 
everybody has it's own style in this.

For new developers ad-hoc parameter screening is even more likely 
to be bad (and most that don't use parameterized queries are still 
new, no matter how long they've been programming, because parameterized 
queries are almost always inherently better). Even if it wasn't a 
safety issue, they're a lot faster.

I've seen data front-ends that don't use parametrized queries when 
talking to SQL servers that support them. They need work.

could you tell me how can i compare values of two tables in database?

About parametrized queries: The only problem using them on R2, at 
least with RT's default ODBC, there is no chance to use NULL values. 
None of those work:
insert db-port ["INSERT t (a) VALUES (?)" NULL]
insert db-port ["INSERT t (a) VALUES (?)" 'NULL]
insert db-port ["INSERT t (a) VALUES (?)" "NULL"]
insert db-port ["INSERT t (a) VALUES (?)" none]
insert db-port reduce ["INSERT t (a) VALUES (?)" none]

you have more than one solution, the first is a simple serial SELECT 
on each table -> compare the output for equal.

of course this produce unnecessary DB overhead but I guess you won't 
feel any speed difference except you are

serving a whole city concurrently. another, better one is a JOIN 
or UNION.

SELECT table_name1.column_name(s), ...
FROM table_name1
LEFT JOIN table_name2
ON table_name1.column_name=table_name2.column_name


the JOIN direction (LEFT,RIGHT,INNER) for your reference table is 
important here. 

the resultset is a table containing BOTH columns. if both having 
a value -> match, if one is empty then you don't.


index both fields to accelerate the query and use something like 
the free SQLyog 
to test different queries to make debugging easier for you.


while you situation reminds me to myself, sitting infront of a monochrom 
asthon tate dot some decades ago

and asking what next?, you should 'bite' yourself now thru the rest. 
It won't help you on longterm if you don't.