Using C for CGI Programming(3)

Mar 01, 2005 By Clay Dowling

 in

• Software

You can speed up complex Web tasks while retaining the simplicity of CGI. With many useful libraries available, the jump from a scripting language to C isn't as big as you might think.

Listing 4. save_event(), Parsing CGI Data

struct event* e;
 
e = event_create();
cgiFormInteger("eventno", &e->event_no, 0);
cgiFormStringNoNewlines("name", e->name, 80);
cgiFormStringNoNewlines("location",
                        e->location, 80);
/* Processing date fields */
cgiFormInteger("beginyear",
               &e->event_begin->year, 0);
cgiFormInteger("beginmonth",
               &e->event_begin->month, 0);
cgiFormInteger("beginday", &e->event_begin->day, 0);
cgiFormInteger("endyear", &e->event_end->year, 0);
cgiFormInteger("endmonth", &e->event_end->month, 0);
cgiFormInteger("endday", &e->event_end->day, 0);
/* Process begin & end times separately */
cgiFormStringNoNewlines("beginhour",
                        e->event_begin->hour, 10);
cgiFormStringNoNewlines("endhour",
                        e->event_end->hour, 10);
event_write(e);
cgiHeaderLocation(cgiScriptName);
 

Finally, I need a way to handle the submit buttons. They're the mostcomplex input, because I need to launch a function based on theirvalues and select a default value, just in case. The cgic library hasa function, cgiFormSelectSingle(), that emulates this behavior exactly.It requires the list of possible values to be in an array of strings.It populates an integer variable with the index of the parameter inthe array or uses a default value if there are no matches.

Listing 5. Handling Submit Buttons

char* command[5] = {"List", "Show",
                    "Save", "Delete", 0};
void (*action)(void)[5] = {list_events,
  show_event, save_event, delete_event, 0};
int result;
 
cgiFormSelectSingle("do", command, 4, &result, 0);
action[result]();
 

See Resources for information on function pointers.If function pointers stillbaffle you, you can choose the function to run in a switchstatement. I prefer the array of function pointers because it is morecompact, but my older code still makes use of the switch statement.

Database System

MySQL from C is largely the same as PHP, if you're used to thatinterface. You have to use MySQL's string escape functions toescape problematic characters in your strings, such as quote charactersor the back slash character, but otherwise it is basicallythe same.The show_event() function requires me to fetch a single record fromthe primary key. All of the error checking bulks up the code, butit's really three basic statements.A call to mysql_query() executes the MySQL statement and generates aresult set. A call to mysql_store_result() retrieves the result setfrom the server. Finally, a call to mysql_fetch_row() pulls a singleMYSQL_ROW variable from the result set.

The MYSQL_ROW variable can be treated like an array of strings(char**). If any of the data is numeric and you want to treat it asnumeric data, you need to convert it. For instance, in myapplication it is desirable to have the date as three separate numericcomponents. Because this data is structured as YYYY-MM-DD, I usesscanf() to get the components (Listing 6).

Listing 6. Retrieving Data from MySQL

MYSQL_RES* res;
MYSQL_ROW row;
int beginyear;
int beginmonth;
int beginday;
 
if (mysql_query(db, sql)) {
  print_error(mysql_error(db));
  return;
}
if((res = mysql_store_result(db)) == 0) {
  print_error(mysql_error(db));
  return;
}
if ((row = mysql_fetch_row(res)) == 0) {
  print_error("No event found by that number");
  return;
}
sscanf(row[0], "%d-%d-%d", &beginyear, &beginmonth,
       &beginday);
 

Writing data to the database is more interesting because of the needto escape the data. Listing 7 shows how it is done.

Listing 7. Using User-Supplied Data in MySQL

char name[11];
char escapedname[21];
 
cgiFormStringNoNewlines("name", name, 10);
mysql_real_escape_string(db, escapedname, name,
                         strlen(name));
 

escapedname holds the same string as name, with MySQL specialcharacters escaped so I can insert them into an SQL statementwithout worry. It is essential that you escape all strings read fromuser input; otherwise, a devious person could take advantage of yourlapse and do unpleasant things to your database.