Editor's Note: Send your XML questions to Rich Rollman at [email protected]
Many readers' questions have addressed SQL Server's XML functionality. This month's article changes focus with a question about integrating SQL Server's XML functionality with HTML forms and a question about the Document Object Model (DOM). Keep sending your nagging XML questions to [email protected]
Can you use XML with SQL Server 7.5?
SQL Server 7.5 was the version number that Microsoft gave the beta release of SQL Server 2000, which supports XML. If you're curious about XML support in SQL Server 7.0 and 6.5, Microsoft released a SQL Server XML Technology Preview, which provided XML functionality for these versions. The Technology Preview supports a subset of the functionality available in SQL Server 2000 but doesn't include the OpenXML rowset provider because all Technology Preview functionality is implemented within an Internet Server API (ISAPI) DLL. You can download the Technology Preview at http://msdn.microsoft.com/downloads/samples/internet/xml/sqlxml/sample.asp. A word of caution: Microsoft does not officially support the Technology Preview release. (For more information about the differences between SQL Server 2000's XML integration and Microsoft's XML Technology Preview, see Bob Beauchemin, "The XML Files," September 2000.)
I'm trying to use an HTML form with method="POST" to post parameters to a template that updates my database by calling a stored procedure. Why do I get an error when I use method="POST" in my form, but method="GET" succeeds?
I'll answer this question by providing some background information, describing a SQL Server bug, and providing a workaround. I'll also tell you about a Web release that Microsoft recently released that fixes the problem. First, you are correctly using the POST method. The method attribute's values on the form tag specify the HTTP verb to use when you're sending the request to the Web server. You use the GET verb for requests to the server that don't involve changes to data—or, more generally, state—on the server. You use POST when data—or state—changes. When you're performing database operations, you use GET when you're querying data and POST when you're inserting, updating, or deleting data.
When you use an HTML form to POST a request to a Web server, the Web browser packages the values of your form's elements into a particular MIME type. (MIME, which stands for Multipurpose Internet Mail Extensions, is a general format category that represents different types of data. MIME emerged because the first email standards required the ability to describe a message's format.) A Web browser uses the application/x-www-form-urlencoded MIME type to post form data to a Web server. Other objects can use different MIME types to communicate data to the server. For example, Microsoft's XMLHTTP object sends the text/xml MIME type by default and lets the user change the MIME type. The MIME type is the key to understanding the error you encountered because SQL Server's ISAPI DLL contains a bug that shows up when SQL Server processes the MIME type for a POST request.
To request XML data from your database through Microsoft IIS, you configure your Web server with a special virtual root by using the Configure SQL XML Support in IIS utility, which is included when you install SQL Server 2000. After you've created a new virtual directory, you need to set several configuration settings, including enabling template access. By enabling template access, you should be able to query or modify data in your database by sending parameters to a template for execution. But a SQL Server bug results from the interplay with another configuration setting, Allow POST.
Microsoft introduced the Allow POST setting to let you send templates and updategrams to the Web server for processing. Microsoft introduced Allow POST as a separate configuration setting because allowing this type of database access requires care to correctly configure security and opens your Web server to potential Denial of Service (DoS) attacks. You need to ensure that you've sufficiently restricted database permissions because someone could post a template with any arbitrary query, including DROP DATABASE. (Note that this warning also applies to the Allow URL queries configuration setting.) By allowing posts, you also open the possibility that someone could launch a DoS attack by posting a large amount of data to your server. To address this security vulnerability, you're able to use the Allow POST setting to specify the maximum number of bytes that each post will accept. If a single post exceeds the specified size, the system cancels the request and drops the connection to the client. Now, I'll describe the bug.
SQL Server 2000's ISAPI DLL incorrectly interprets an HTML form that uses method="POST" as posting a template or updategram. Instead, the ISAPI DLL should allow this type of message if you've enabled the Allow template queries setting. The best workaround is to use the GET method, although this approach limits the amount of data that someone can post to the server to the length of a URL (2083 characters if you're using Microsoft Internet Explorer—IE—5.0). Another workaround is to use the Allow POST setting, but you would need to make sure that you carefully controlled permissions on the virtual root to ensure that a posted template couldn't damage your system.
Microsoft recently released XML for SQL Server 2000 Web Release 1, which includes additional configuration options to the ISAPI DLL that fix this bug. You can use the Configure SQL XML Support in IIS utility in the Web release to configure the settings to allow template queries and Allow POST. If you enable these options, the ISAPI DLL will accept posts to a template as expected. You can download Web Release 1 at http://msdn.microsoft.com/code/sample.asp?url=/msdnfiles/027/001/554/msdncompositedoc.xml.
How can you use Microsoft Internet Explorer (IE) 5.0 Document Object Model (DOM) and Microsoft XML Parser (MSXML) 3.0 to access the value of the hypertext reference (HREF) attribute of the xml-stylesheet processing instruction (PI), as in
<?xml-stylesheet type='text/xsl' href='sample.xsl'?>
Unlike regular elements, the xml-stylesheet PI doesn't support the concept of attributes, although the processing instruction that you provide appears to have attributes with corresponding values. Instead, a PI simply has a target, which is the name immediately following the first question mark, and some data, which is everything to the right of the white space following the target and preceding the closing question mark.
The World Wide Web Consortium (W3C) DOM Specification requires that compliant implementations allow access to the data in a PI by using the nodeValue property on the node that corresponds to the PI or the data property on the PI interface. In addition, when you use Microsoft's implementation of the DOM, you can also retrieve the value by using the text property on the Node. This capability is an extension of the W3C DOM standard. For the example that you give, all of the properties will return the value "type='text/xsl' href='sample.xsl'".