SQLPage v0.25.0 documentation

If you are completely new to SQLPage, you should start by reading the get started tutorial, which will guide you through the process of creating your first SQLPage application.

Building an application with SQLPage is quite simple. To create a new web page, just create a new SQL file. For each SELECT statement that you write, the data it returns will be analyzed and rendered to the user. The two most important concepts in SQLPage are components and parameters.

components are small user interface elements that you can use to display your data in a certain way.
top-level parameters are the properties of these components, allowing you to customize their appearance and behavior.
row-level parameters constitute the data that you want to display in the components.

To select a component and set its top-level properties, you write the following SQL statement:

SELECT 'component_name' AS component, 'my value' AS top_level_parameter_1;

Then, you can set its row-level parameters by writing a second SELECT statement:

SELECT my_column_1 AS row_level_parameter_1, my_column_2 AS row_level_parameter_2 FROM my_table;

This page documents all the components provided by default in SQLPage and their parameters. Use this as a reference when building your SQL application. If at any point you need help, you can ask for it on the SQLPage forum.

If you know some HTML, you can also easily create your own components for your application.

components

alert

A visually distinctive message or notification.

authentication

An advanced component that can be used to create pages with password-restricted access. When used, this component has to be at the top of your page, because once the page has begun being sent to the browser, it is too late to restrict access to it. The authentication component checks if the user has sent the correct password, and if not, redirects them to the URL specified in the link parameter. If you don't want to re-check the password on every page (which is an expensive operation), you can check the password only once and store a session token in your database. You can use the cookie component to set the session token cookie in the client browser, and then check whether the token matches what you stored in subsequent pages.

breadcrumb

A secondary navigation aid that helps users understand their location on a website or mobile application.

button

A versatile button component do display one or multiple button links of different styles.

card

A grid where each element is a small card that displays a piece of data.

carousel

A carousel is used to display images. When used with multiple images, it will cycle through them automatically or with controls, creating a slideshow.

chart

A component that plots data. Line, area, bar, and pie charts are all supported. Each item in the component is a data point in the graph.

code

Displays one or many blocks of code from a programming language or formated text as XML or JSON.

Sets a cookie in the client browser, used for session management and storing user-related information. This component creates a single cookie. Since cookies need to be set before the response body is sent to the client, this component should be placed at the top of the page, before any other components that generate output. After being set, a cookie can be accessed anywhere in your SQL code using the `sqlpage.cookie('cookie_name')` pseudo-function.

csv

A button that lets the user download data as a CSV file. Each column from the items in the component will map to a column in the resulting CSV.

datagrid

Display small pieces of information in a clear and readable way. Each item has a name and is associated with a value.

debug

Visualize any set of values as JSON. Can be used to display all the parameters passed to the component. Useful for debugging: just replace the name of the component you want to debug with 'debug', and see all the top-level and row-level parameters that are passed to it, and their types.

divider

Dividers help organize content and make the interface layout clear and uncluttered.

dynamic

A special component that can be used to render other components, the number and properties of which are not known in advance.

form

A series of input fields that can be filled in by the user. The form contents can be posted and handled by another sql file in your site. The value entered by the user in a field named x will be accessible to the target SQL page as a variable named $x. For instance, you can create a SQL page named "create_user.sql" that would contain "INSERT INTO users(name) VALUES($name)" and a form with its action property set to "create_user.sql" that would contain a field named "name".

hero

Display a large title and description for your page, with an optional large illustrative image. Useful in your home page, for instance.

html

Include raw HTML in the output. For advanced users only. Use this component to create complex layouts or to include external content. Be very careful when using this component with user-generated content, as it can lead to security vulnerabilities. Use this component only if you are familiar with the security implications of including raw HTML, and understand the risks of cross-site scripting (XSS) attacks.

http_header

An advanced component to set arbitrary HTTP headers: can be used to set a custom caching policy to your pages, or implement custom redirections, for example. If you are a beginner, you probably don't need this component. When used, this component has to be the first component in the page, because once the page is sent to the browser, it is too late to change the headers. HTTP headers are additional pieces of information sent with responses to web requests that provide instructions or metadata about the data being sent — for example, setting cache control directives to control caching behavior or specifying the content type of a response. Any valid HTTP header name can be used as a top-level parameter for this component. The examples shown here are just that, examples; and you can create any custom header if needed simply by declaring it. If your header's name contains a dash or any other special character, you will have to use your database's quoting mechanism to declare it. In standard SQL, you can use double quotes to quote identifiers (like "X-My-Header"), in Microsoft SQL Server, you can use square brackets (like [X-My-Header]).

json

For advanced users, allows you to easily build an API over your database. The json component responds to the current HTTP request with a JSON object. This component must appear at the top of your SQL file, before any other data has been sent to the browser.

list

A vertical list of items. Each item can be clickable and link to another page.

map

Displays a map with markers on it. Useful in combination with PostgreSQL's PostGIS or SQLite's spatialite.

redirect

Redirects the user to another page. This component is useful for implementing redirects after a form submission, or to redirect users to a login page if they are not logged in. Contrary to the http_header component, this component completely stops the execution of the page after it is called, so it is suitable to use to hide sensitive information from users that are not logged in, for example. Since it uses an HTTP header to redirect the user, it is not possible to use this component after the page has started being sent to the browser.

rss

Produces a data flow in the RSS format. Can be used to generate a podcast feed. To use this component, you must first return an HTTP header with the "application/rss+xml" content type (see http_header component). Next, you must use the shell-empty component to avoid that SQLPage generates HTML code.

shell

Personalize the "shell" surrounding your page contents. Used to set properties for the entire page.

steps

Guide users through multi-stage processes, displaying a clear list of previous and future steps.

tab

Build a tabbed interface, with each tab being a link to a page. Each tab can be in two states: active or inactive.

table

A table with optional filtering and sorting. Unlike most others, this component does not have a fixed set of item properties, any property that is used will be rendered directly as a column in the table. Tables can contain rich text, including images, links, and icons. Table rows can be styled with a background color, and the table can be made striped, hoverable, and bordered. Advanced users can apply custom styles to table columns using a CSS class with the same name as the column, and to table rows using the `_sqlpage_css_class` property.

text

A paragraph of text. The entire component will render as a single paragraph, with each item being rendered as a span of text inside it, the styling of which can be customized using parameters.

timeline

A list of events with a vertical line connecting them.

title

Defines HTML headings. The level 1 is used for the maximal size and the level 6 is used for the minimal size.

tracking

Component for visualising activity logs or other monitoring-related data.

The "authentication" component

Introduced in SQLPage v0.7.2.

Top-level parameters

link

The URL to redirect the user to if they are not logged in. If this parameter is not specified, the user will stay on the current page, but be asked to log in using a popup in their browser (HTTP basic authentication).

TEXT

password

The password that was sent by the user. You can set this to :password if you have a login form leading to your page.

TEXT

password_hash

The hash of the password that you stored for the user that is currently trying to log in. These hashes can be generated ahead of time using a tool like https://argon2.online/.

TEXT

Examples

Usage with HTTP basic authentication

The most basic usage of the authentication component is with the sqlpage.basic_auth_username() and sqlpage.basic_auth_password() functions. The component will check if the provided password matches the stored password hash, and if not, it will prompt the user to enter a password in a browser popup:

SELECT 'authentication' AS component,
    '$argon2i$v=19$m=8,t=1,p=1$YWFhYWFhYWE$oKBq5E8XFTHO2w' AS password_hash, -- this is a hash of the password 'password'
    sqlpage.basic_auth_password() AS password; -- this is the password that the user entered in the browser popup

You can generate a password hash using the hash_password function.

If you want to have multiple users with different passwords, you could store them with their password hashes in the database, or just hardcode them use a CASE statement:

SELECT 'authentication' AS component,
    case sqlpage.basic_auth_username()
        when 'admin'
            then '$argon2i$v=19$m=8,t=1,p=1$YWFhYWFhYWE$oKBq5E8XFTHO2w' -- the password is 'password'
        when 'user'
            then '$argon2i$v=19$m=8,t=1,p=1$YWFhYWFhYWE$qsrWdjgl96ooYw' -- the password is 'user'
    end AS password_hash, -- this is a hash of the password 'password'
    sqlpage.basic_auth_password() AS password; -- this is the password that the user entered in the browser popup

Try this example online: SQL Basic Auth.

Advanced user session management

Basic auth is the simplest way to password-protect a page, but it is not very flexible nor user-friendly, because the browser will show an unstyled popup asking for the username and password.

For more advanced authentication, you can store user information and user sessions in your database. You can then use the form component to create a custom login form. When the user submits the form, you check if the password is correct using the authentication component. You then store a unique string of numbers and letters (a session token) both in the user's browser using the cookie component and in your database. Then, in all the pages that require authentication, you check if the cookie is present and matches the session token in your database.

You can check if the user has sent the correct password in a form, and if not, redirect them to a login page.

Create a login form in a file called login.sql:

select 'form' as component, 'Authentication' as title, 'Log in' as validate, 'create_session_token.sql' as action;
select 'Username' as name, 'admin' as placeholder;
select 'Password' as name, 'admin' as placeholder, 'password' as type;

And then, in create_session_token.sql :

SELECT 'authentication' AS component,
    'login.sql' AS link,
    '$argon2id$v=19$m=16,t=2,p=1$TERTd0lIcUpraWFTcmRQYw$+bjtag7Xjb6p1dsuYOkngw' AS password_hash, -- generated using sqlpage.hash_password
    :password AS password; -- this is the password that the user sent through our form

-- The code after this point is only executed if the user has sent the correct password

and in login.sql :

SELECT 'form' AS component, 'Login' AS title, 'my_protected_page.sql' AS action;
SELECT 'password' AS type, 'password' AS name, 'Password' AS label;

Advanced: usage with a session token

Calling the authentication component is expensive. The password hashing algorithm is designed to be slow, so that it is difficult to brute-force the password, even if an attacker gets access to the database.

If you want to avoid calling the authentication component on every page, you can use a session token. A session token is a random string that is generated when the user logs in, and stored in the database. It has a limited lifetime, and is stored in a cookie in the user's browser. When the user visits a page, the session token is sent to the server, and the server checks if it is valid.

SELECT 'authentication' AS component,
    'login.sql' AS link,
    (SELECT password_hash FROM user WHERE username = :username) AS password_hash,
    :password AS password;

-- The code after this point is only executed if the user has sent the correct password

-- Generate a random session token
INSERT INTO session (id, username)
VALUES (sqlpage.random_string(32), :username)
RETURNING 
    'cookie' AS component,
    'session_token' AS name,
    id AS value;

Single sign-on with OIDC (OpenID Connect)

If you don't want to manage your own user database, you can use OpenID Connect and OAuth2 to authenticate users. This allows users to log in with their Google, Facebook, or internal company account.

You will find an example of how to do this in the Single sign-on with OIDC.