better warning for $var and :var conflicts

lovasoa · lovasoa · commit c8fdf823492f · 2025-08-26T20:49:11.000+02:00
Add a specific warning when a URL parameter and a form field have the same name. The previous general warning about referencing form fields with the `$var` syntax was confusing in that case. see #1001
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -5,6 +5,7 @@
   - All [standard web encodings](https://encoding.spec.whatwg.org/#concept-encoding-get) are supported.
   - Additionally, `base64` can be specified to decode binary data as base64 (compatible with [data URI](https://developer.mozilla.org/en-US/docs/Web/HTTP/Basics_of_HTTP/Data_URIs))
   - By default, the old behavior of the `fetch_with_meta` function is preserved: the response body is decoded as `utf-8` if possible, otherwise the response is encoded in `base64`.
+ - Added a specific warning when a URL parameter and a form field have the same name. The previous general warning about referencing form fields with the `$var` syntax was confusing in that case.
 
 ## v0.36.1
  - Fix regression introduced in v0.36.0: PostgreSQL money values showed as 0.0
diff --git a/src/webserver/database/syntax_tree.rs b/src/webserver/database/syntax_tree.rs
@@ -158,26 +158,43 @@ pub(super) async fn extract_req_param<'a>(
         // sync functions
         StmtParam::Get(x) => request.get_variables.get(x).map(SingleOrVec::as_json_str),
         StmtParam::Post(x) => request.post_variables.get(x).map(SingleOrVec::as_json_str),
-        StmtParam::PostOrGet(x) => if let Some(v) = request.post_variables.get(x) {
-            log::warn!("Deprecation warning! ${x} was used to reference a form field value (a POST variable) instead of a URL parameter. This will stop working soon. Please use :{x} instead.");
-            Some(v)
-        } else {
-            request.get_variables.get(x)
+        StmtParam::PostOrGet(x) => {
+            let post_val = request.post_variables.get(x);
+            let get_val = request.get_variables.get(x);
+            if let Some(v) = post_val {
+                if let Some(get_val) = get_val {
+                    log::warn!(
+                        "Deprecation warning! There is both a URL parameter named '{x}' with value '{get_val}' and a form field named '{x}' with value '{v}'. \
+                        SQLPage is using the value from the form submission, but this is ambiguous, can lead to unexpected behavior, and will stop working in a future version of SQLPage. \
+                        To fix this, please rename the URL parameter to something else, and reference the form field with :{x}."
+                    );
+                } else {
+                    log::warn!("Deprecation warning! ${x} was used to reference a form field value (a POST variable) instead of a URL parameter. This will stop working soon. Please use :{x} instead.");
+                }
+                Some(v.as_json_str())
+            } else {
+                get_val.map(SingleOrVec::as_json_str)
+            }
         }
-        .map(SingleOrVec::as_json_str),
         StmtParam::Error(x) => anyhow::bail!("{}", x),
         StmtParam::Literal(x) => Some(Cow::Owned(x.to_string())),
         StmtParam::Null => None,
         StmtParam::Concat(args) => concat_params(&args[..], request, db_connection).await?,
-        StmtParam::JsonObject(args) => json_object_params(&args[..], request, db_connection).await?,
+        StmtParam::JsonObject(args) => {
+            json_object_params(&args[..], request, db_connection).await?
+        }
         StmtParam::JsonArray(args) => json_array_params(&args[..], request, db_connection).await?,
         StmtParam::Coalesce(args) => coalesce_params(&args[..], request, db_connection).await?,
-        StmtParam::FunctionCall(func) => func.evaluate(request, db_connection).await.with_context(|| {
-            format!(
-                "Error in function call {func}.\nExpected {:#}",
-                func.function
-            )
-        })?,
+        StmtParam::FunctionCall(func) => {
+            func.evaluate(request, db_connection)
+                .await
+                .with_context(|| {
+                    format!(
+                        "Error in function call {func}.\nExpected {:#}",
+                        func.function
+                    )
+                })?
+        }
     })
 }
 
diff --git a/src/webserver/http.rs b/src/webserver/http.rs
@@ -275,6 +275,25 @@ pub enum SingleOrVec {
     Vec(Vec<String>),
 }
 
+impl std::fmt::Display for SingleOrVec {
+    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
+        match self {
+            SingleOrVec::Single(x) => write!(f, "{x}"),
+            SingleOrVec::Vec(v) => {
+                write!(f, "[")?;
+                let mut it = v.iter();
+                if let Some(first) = it.next() {
+                    write!(f, "{first}")?;
+                }
+                for item in it {
+                    write!(f, ", {item}")?;
+                }
+                write!(f, "]")
+            }
+        }
+    }
+}
+
 impl SingleOrVec {
     pub(crate) fn merge(&mut self, other: Self) {
         match (self, other) {
