From c776cdc188c4120543b6af25e571782a8ea2b867 Mon Sep 17 00:00:00 2001
From: Charles Leifer <coleifer@gmail.com>
Date: Mon, 15 Jan 2024 11:05:21 -0600
Subject: [PATCH] Switch back to POST by default for query views.

GET is still allowed as a fallback, however.

Refs #140
---
 sqlite_web/sqlite_web.py              | 16 ++++++++--------
 sqlite_web/templates/query.html       |  2 +-
 sqlite_web/templates/table_query.html |  2 +-
 3 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/sqlite_web/sqlite_web.py b/sqlite_web/sqlite_web.py
index 28a953db..1b59cfe4 100755
--- a/sqlite_web/sqlite_web.py
+++ b/sqlite_web/sqlite_web.py
@@ -275,16 +275,16 @@ def _query_view(template, table=None):
     data_description = error = row_count = sql = None
     ordering = None
 
-    sql = qsql = request.args.get('sql') or ''
+    sql = qsql = request.values.get('sql') or ''
 
-    if 'export_json' in request.args:
-        ordering = request.args.get('export_ordering')
+    if 'export_json' in request.values:
+        ordering = request.values.get('export_ordering')
         export_format = 'json'
-    elif 'export_csv' in request.args:
-        ordering = request.args.get('export_ordering')
+    elif 'export_csv' in request.values:
+        ordering = request.values.get('export_ordering')
         export_format = 'csv'
     else:
-        ordering = request.args.get('ordering')
+        ordering = request.values.get('ordering')
         export_format = None
 
     if ordering:
@@ -330,7 +330,7 @@ def _query_view(template, table=None):
         table=table,
         table_sql=dataset.get_table_sql(table))
 
-@app.route('/query/', methods=['GET'])
+@app.route('/query/', methods=['GET', 'POST'])
 def generic_query():
     return _query_view('query.html')
 
@@ -861,7 +861,7 @@ def table_delete(table, pk):
         table=table,
         table_pk=table_pk)
 
-@app.route('/<table>/query/', methods=['GET'])
+@app.route('/<table>/query/', methods=['GET', 'POST'])
 @require_table
 def table_query(table):
     return _query_view('table_query.html', table)
diff --git a/sqlite_web/templates/query.html b/sqlite_web/templates/query.html
index f55e0066..babe6605 100644
--- a/sqlite_web/templates/query.html
+++ b/sqlite_web/templates/query.html
@@ -23,7 +23,7 @@
 {% block content_title %}<a href="{{ url_for('index') }}">{{ dataset.base_name }}</a> - Query{% endblock %}
 
 {% block content %}
-  <form action="." id="query-form" method="get" role="form">
+  <form action="." id="query-form" method="post" role="form">
     <input name="ordering" type="hidden" value="" />
     <input name="export_ordering" type="hidden" value="{% if ordering %}{{ ordering }}{% endif %}" />
     <div class="form-group{% if error %} has-error has-feedback{% endif %}">
diff --git a/sqlite_web/templates/table_query.html b/sqlite_web/templates/table_query.html
index dc03bb7b..e95c65d4 100644
--- a/sqlite_web/templates/table_query.html
+++ b/sqlite_web/templates/table_query.html
@@ -32,7 +32,7 @@ <h3>
   <div id="tableInfo">
     {{ table_sql|format_create_table|highlight }}
   </div>
-  <form action="." id="query-form" method="get" role="form">
+  <form action="." id="query-form" method="post" role="form">
     <input name="ordering" type="hidden" value="" />
     <input name="export_ordering" type="hidden" value="{% if ordering %}{{ ordering }}{% endif %}" />
     <div class="form-group{% if error %} has-error has-feedback{% endif %}">