[Add documentation on request URL parameters as well as tainting them
Alan-Shields@omrf.ouhsc.edu**20050825214957] {
addfile ./doc/request_parameters.html
hunk ./doc/request_parameters.html 1
+<html><head><title>Araneida - Request Parameters</title>
+<LINK rel="stylesheet" href="/doc/araneida.css">
+<title>Araneida - How to Get Request Parameters</title>
+</head><body>
+
+<p>Unfortunately, this documents only dealing with URL parameters, AKA
+GET parameters. Others are invited and encouraged to contribute documentation
+for POST.</p>
+
+<p>The relevant code is in "url.lisp"</p>
+
+<h1>Parameters</h1>
+<p>To obtain all parameters, use URL-QUERY-ALIST</p>
+<pre>
+(defmethod handle-request-response ((handler my-handler) method request)
+  ; let's say the request is "http://example.com/my/handler?foo=1;bar=12"
+  (let ((params (url-query-alist (request-url request))))
+    insert-code-here))
+</pre>
+
+<p>Params would now look like:
+<pre>
+'(("foo" "1")("bar" "12"))
+</pre>
+
+<p>To improve clarity in your code, or because you just want one or two parameters,
+consider using URL-QUERY-PARAM</p>
+<pre>
+(defmethod handle-request-response ((handler my-handler) method request)
+  ; let's say the request is "http://example.com/my/handler?foo=1;bar=12"
+  (let ((foo (url-query-param (request-url request) "foo"))
+	(bar (url-query-param (request-url request) "bar")))
+    insert-code-here))
+</pre>
+
+<p>It's important to note that the values will be returned as strings.</p>
+
+<p>If you pass :case-sensitive f to URL-QUERY-PARAM, the key will be matched without
+regard to case. This is best to use when you can.</p>
+
+
+<h1>Tainted Parameters</h1>
+<p>To help prevent errors (and help close some security holes), the above functions
+have tainted equivalents. CL-TAINT is a package developed by Alan Shields and is included
+with Araneida. Taint wraps a value in a lambda, preventing it from being used directly -
+you must untaint it first.
+
+<pre>
+CL-USER&gt; (setf x "5")
+"5"
+CL-USER&gt; x
+"5"
+CL-USER&gt; (setf y (taint "5"))
+#&lt;CLOSURE (LAMBDA ()) {5082C97D}&gt;
+CL-USER&gt; y
+#&lt;CLOSURE (LAMBDA ()) {5082C97D}&gt;
+CL-USER&gt; (untaint #'parse-integer y)
+5
+</pre>
+
+<p>By defining your own untainting functions, you can make sure that only proper values are
+used.
+
+<p>The tainted versions are TAINTED-URL-QUERY-ALIST and TAINTED-URL-QUERY-PARAM. They have
+the same argument list - the only difference is that the values are returned tainted.
+
+<p>If you wish to be warned when you use untainted calls, set araneida:*warn-when-using-untainted-values*
+to a true value. This will cause a USING-UNTAINTED-VALUES condition (a warning) to be signaled whenever
+untainted calls are used.
+
+</body>
+</html>
}