SQLPage v0.17.1 documentation

If you are completely new to SQLPage, you should start by reading the get started tutorial, which will guide you through the process of creating your first SQLPage application.

Building an application with SQLPage is quite simple. To create a new web page, just create a new SQL file. For each SELECT statement that you write, the data it returns will be analyzed and rendered to the user. The two most important concepts in SQLPage are components and parameters.

components are small user interface elements that you can use to display your data in a certain way.
top-level parameters are the properties of these components, allowing you to customize their appearance and behavior.
row-level parameters constitute the data that you want to display in the components.

To select a component and set its top-level properties, you write the following SQL statement:

SELECT 'component_name' AS component, 'my value' AS top_level_parameter_1;

Then, you can set its row-level parameters by writing a second SELECT statement:

SELECT my_column_1 AS row_level_parameter_1, my_column_2 AS row_level_parameter_2 FROM my_table;

This page documents all the components provided by default in SQLPage and their parameters. Use this as a reference when building your SQL application. If at any point you need help, you can ask for it on the SQLPage forum.

If you know some HTML, you can also easily create your own components for your application.

components

alert

A visually distinctive message or notification.

authentication

An advanced component that can be used to create pages with password-restricted access. When used, this component has to be at the top of your page, because once the page has begun being sent to the browser, it is too late to restrict access to it. The authentication component checks if the user has sent the correct password, and if not, redirects them to the URL specified in the link parameter. If you don't want to re-check the password on every page (which is an expensive operation), you can check the password only once and store a session token in your database. You can use the cookie component to set the session token cookie in the client browser, and then check whether the token matches what you stored in subsequent pages.

button

A versatile button component do display one or multiple button links of different styles.

card

A grid where each element is a small card that displays a piece of data.

chart

A component that plots data. Line, area, bar, and pie charts are all supported. Each item in the component is a data point in the graph.

Sets a cookie in the client browser, used for session management and storing user-related information. This component creates a single cookie. Since cookies need to be set before the response body is sent to the client, this component should be placed at the top of the page, before any other components that generate output. After being set, a cookie can be accessed anywhere in your SQL code using the `sqlpage.cookie('cookie_name')` pseudo-function.

csv

A button that lets the user download data as a CSV file. Each column from the items in the component will map to a column in the resulting CSV.

datagrid

Display small pieces of information in a clear and readable way. Each item has a name and is associated with a value.

debug

Display all the parameters passed to the component. Useful for debugging: just replace the name of the component you want to debug with 'debug'.

dynamic

A special component that can be used to render other components, the number and properties of which are not known in advance.

form

A series of input fields that can be filled in by the user. The form contents can be posted and handled by another sql file in your site. The value entered by the user in a field named x will be accessible to the target SQL page as a variable named $x. For instance, you can create a SQL page named "create_user.sql" that would contain "INSERT INTO users(name) VALUES($name)" and a form with its action property set to "create_user.sql" that would contain a field named "name".

hero

Display a large title and description for your page, with an optional large illustrative image. Useful in your home page, for instance.

http_header

An advanced component that can be used to create redirections, set a custom caching policy to your pages, or set any HTTP header. If you are a beginner, you probably don't need this component. When used, this component has to be the first component in the page, because once the page is sent to the browser, it is too late to change the headers. Any valid HTTP header can be used as a top-level parameter for this component. HTTP headers are additional pieces of information sent with responses to web requests that provide instructions or metadata about the data being sent — for example, setting cache control directives to control caching behavior or specifying the content type of a response.

json

For advanced users, allows you to easily build an API over your database. The json component responds to the current HTTP request with a JSON object. This component must appear at the top of your SQL file, before any other data has been sent to the browser.

list

A vertical list of items. Each item can be clickable and link to another page.

map

Displays a map with markers on it. Useful in combination with PostgreSQL's PostGIS or SQLite's spatialite.

redirect

Redirects the user to another page. This component is useful for implementing redirects after a form submission, or to redirect users to a login page if they are not logged in. Contrary to the http_header component, this component completely stops the execution of the page after it is called, so it is suitable to use to hide sensitive information from users that are not logged in, for example. Since it uses an HTTP header to redirect the user, it is not possible to use this component after the page has started being sent to the browser.

shell

Personalize the "shell" surrounding your page contents. Used to set properties for the entire page.

steps

Guide users through multi-stage processes, displaying a clear list of previous and future steps.

tab

Build a tabbed interface, with each tab being a link to a page. Each tab can be in two states: active or inactive.

table

A table with optional filtering and sorting. Unlike most others, this component does not have a fixed set of item properties, any property that is used will be rendered directly as a column in the table.

text

A paragraph of text. The entire component will render as a single paragraph, with each item being rendered as a span of text inside it, the styling of which can be customized using parameters.

timeline

A list of events with a vertical line connecting them.

The "authentication" component

Introduced in SQLPage v0.7.2.

Top-level parameters

link

The URL to redirect the user to if they are not logged in. If this parameter is not specified, the user will stay on the current page, but be asked to log in using a popup in their browser (HTTP basic authentication).

TEXT

password

The password that was sent by the user. You can set this to :password if you have a login form leading to your page.

TEXT

password_hash

The hash of the password that you stored for the user that is currently trying to log in. These hashes can be generated ahead of time using a tool like https://argon2.online/.

TEXT

Examples

Usage with HTTP basic authentication

The most basic usage of the authentication component is to let SQLPage handle the authentication through HTTP basic authentication. This is the simplest way to password-protect a page, but it is not very user-friendly, because the browser will show an unstyled popup asking for the username and password. The username and password entered by the user will be accessible in your SQL code using the sqlpage.basic_auth_username() and sqlpage.basic_auth_password() functions.

The sqlpage.hash_password function can be used to generate a secure password hash that you need to store in your database.

SELECT 'authentication' AS component,
    '$argon2id$v=19$m=16,t=2,p=1$TERTd0lIcUpraWFTcmRQYw$+bjtag7Xjb6p1dsuYOkngw' AS password_hash, -- generated using sqlpage.hash_password
    sqlpage.basic_auth_password() AS password; -- this is the password that the user entered in the browser popup

Usage with a login form

The most basic usage of the authentication component is to simply check if the user has sent the correct password, and if not, redirect them to a login page:

SELECT 'authentication' AS component,
    'login.sql' AS link,
    '$argon2id$v=19$m=16,t=2,p=1$TERTd0lIcUpraWFTcmRQYw$+bjtag7Xjb6p1dsuYOkngw' AS password_hash, -- generated using sqlpage.hash_password
    :password AS password; -- this is the password that the user sent through our form

and in login.sql :

SELECT 'form' AS component, 'Login' AS title, 'my_protected_page.sql' AS action;
SELECT 'password' AS type, 'password' AS name, 'Password' AS label;

Advanced: usage with a session token

Calling the authentication component is expensive. The password hashing algorithm is designed to be slow, so that it is difficult to brute-force the password, even if an attacker gets access to the database.

If you want to avoid calling the authentication component on every page, you can use a session token. A session token is a random string that is generated when the user logs in, and stored in the database. It has a limited lifetime, and is stored in a cookie in the user's browser. When the user visits a page, the session token is sent to the server, and the server checks if it is valid.

SELECT 'authentication' AS component,
    'login.sql' AS link,
    (SELECT password_hash FROM user WHERE username = :username) AS password_hash,
    :password AS password;

-- The code after this point is only executed if the user has sent the correct password

-- Generate a random session token
INSERT INTO session (id, username)
VALUES (sqlpage.random_string(32), :username)
RETURNING 
    'cookie' AS component,
    'session_token' AS name,
    id AS value;