Switch back to POST by default for query views.

GET is still allowed as a fallback, however. Refs #140
coleifer · Jan 15, 2024 · c776cdc · c776cdc
1 parent ed80c34
commit c776cdc
Show file tree

Hide file tree

Showing 3 changed files with 10 additions and 10 deletions.
diff --git a/sqlite_web/sqlite_web.py b/sqlite_web/sqlite_web.py
@@ -275,16 +275,16 @@ def _query_view(template, table=None):
     data_description = error = row_count = sql = None
     ordering = None
 
-    sql = qsql = request.args.get('sql') or ''
+    sql = qsql = request.values.get('sql') or ''
 
-    if 'export_json' in request.args:
-        ordering = request.args.get('export_ordering')
+    if 'export_json' in request.values:
+        ordering = request.values.get('export_ordering')
         export_format = 'json'
-    elif 'export_csv' in request.args:
-        ordering = request.args.get('export_ordering')
+    elif 'export_csv' in request.values:
+        ordering = request.values.get('export_ordering')
         export_format = 'csv'
     else:
-        ordering = request.args.get('ordering')
+        ordering = request.values.get('ordering')
         export_format = None
 
     if ordering:
@@ -330,7 +330,7 @@ def _query_view(template, table=None):
         table=table,
         table_sql=dataset.get_table_sql(table))
 
-@app.route('/query/', methods=['GET'])
+@app.route('/query/', methods=['GET', 'POST'])
 def generic_query():
     return _query_view('query.html')
 
@@ -861,7 +861,7 @@ def table_delete(table, pk):
         table=table,
         table_pk=table_pk)
 
-@app.route('/<table>/query/', methods=['GET'])
+@app.route('/<table>/query/', methods=['GET', 'POST'])
 @require_table
 def table_query(table):
     return _query_view('table_query.html', table)

diff --git a/sqlite_web/templates/query.html b/sqlite_web/templates/query.html
@@ -23,7 +23,7 @@
 {% block content_title %}<a href="{{ url_for('index') }}">{{ dataset.base_name }}</a> - Query{% endblock %}
 
 {% block content %}
-  <form action="." id="query-form" method="get" role="form">
+  <form action="." id="query-form" method="post" role="form">
     <input name="ordering" type="hidden" value="" />
     <input name="export_ordering" type="hidden" value="{% if ordering %}{{ ordering }}{% endif %}" />
     <div class="form-group{% if error %} has-error has-feedback{% endif %}">

diff --git a/sqlite_web/templates/table_query.html b/sqlite_web/templates/table_query.html
@@ -32,7 +32,7 @@ <h3>
   <div id="tableInfo">
     {{ table_sql|format_create_table|highlight }}
   </div>
-  <form action="." id="query-form" method="get" role="form">
+  <form action="." id="query-form" method="post" role="form">
     <input name="ordering" type="hidden" value="" />
     <input name="export_ordering" type="hidden" value="{% if ordering %}{{ ordering }}{% endif %}" />
     <div class="form-group{% if error %} has-error has-feedback{% endif %}">