• The database
• The CGI script
• The browser (if you're using JS validation)

Just because the browser says it's an acceptable value DOES NOT MEAN that the CGI script believes it. Your data will NOT always come through the CGI script. And, likewise for your database! Your database is the be-all-end-all master arbiter of all things. If it doesn't safeguard its data, who will?!

So, what you do is code up the restrictions EVERYWHERE. You replicate restrictions. This is defense-in-depth. The goal is to guarantee that you refuse a bad value, even if you accidentally refuse a good value every once in a while. Recovering from a refused good value is easy. Recovering from an accepted bad value can be impossible.

If you're asking whether a form CGI can take its format from the structure of a database table, the answer is Yes.

If you're asking if that's a good plan, the answer is Probably Not. :)

The short answer to that is you'll probably end up in a situation where you don't want each column to be represented by a form field, so you'll start to make exceptions. And that way madness lies.

Instead, I use Template::Toolkit to lay out the form, and I may use an array of field names in the CGI to collect information and put it into the database. That way, the CGI form field names are the same as the database field names. And I use CGI::Application as the application framework .. it works well.

Update at 9am, February 13, 2007: I approved this post under Meditations because it doesn't ask a specific question, but rather a general, conceptual question. The anticipated answer would be general thoughts on the topic, and not Here's three lines of code that would solve your problem.

I imagine a Perl script with some generic form generation routines that take their directions from some specs held within the database.

For example, for field_1:

• at creation is to be displayed as a drop-down on the creation screen, with possible values a-to-z,
• not be editable on a record-update screen
• in a listing of records from the table, not be displayed if the user is of user_type=X.

Mmmmmm....I'm beginning to imagine a table of table column specs.....

Table: specs
table_name, field_name, creation_form_type, editable, view_types,....
[download]

Any time you want to start putting application constraints into a database, you should stop thinking and just do the simplest thing possible. That will, most likely, not involve a database.

---

My criteria for good software:

1. Does it work?
2. Can someone else come in, make a change, and be reasonably certain no bugs were introduced?

I respectfully disagree with this assessment. While it is certainly true that you can overcomplicate your application for the next poor guy who has to maintain it by storing all kinds of application logic in a database, there are a couple of good reasons for storing allowable field values and other application configuration data in a database table or tables.

Such reasons may include:

• The entry field in question may appear in multiple locations throughout the application -- storing (and retrieving) constraints like this may save you from some ugly (and difficult to maintain) duplication of code.
• You expect the allowable values for some of the fields to frequently change over time, and you'd like to avoid multiple trivial releases of your code.
• Updating your code in production is fraught with red tape; in some corporate environments, database changes can often sneak under the wire, avoiding onerous (but unsophisticated) bureaucratic constraints.
• You have a very large number of entry fields with a large number of similar attributes, and you want to simplify your application code.
• You need to be able to re-configure your application on the fly in a distributed environment.

I'm sure there are more reasons than this, but these are a few which come to mind, suggesting that the advice dragonchild offered above is not universally true.

if the discussion is about putting code in your DB that apps should SELECT out and then run arbitrarily, I'd agree with you on moral grounds -- but there are lots of situations where the "data" for one application is "constraints" for another application.

CMSs are a great example of applications where the person writing the application doesn't know what kinds of constraints the end user needs for their data, because the "content" is different for each installation -- so the "adminstrators" of the system enter the constraint data, and the "users" of the system enter the content that conforms to those constraints.

Surely you wouldn't suggest that everyone who wants to install/maintain a complex application needs to write code to define how they wnat to allow others to use that application? you might rgue "that's what configuration files are for." but how is puting that information in a configuration file really any different then putting it in a database?