Handling User Input in Forms

This page shows how to allow users to post their own greetings to the guestbook in a web form. The sample codes use the Go http package to process form data.

This page is part of a multi-page tutorial. To start from the beginning and see instructions for setting up, go to Creating a Guestbook.

Mapping the handlers

The sample uses a handler that maps the / path to root and displays the web form:

func root(w http.ResponseWriter, r *http.Request) {
	c := appengine.NewContext(r)
	// Ancestor queries, as shown here, are strongly consistent with the High
	// Replication Datastore. Queries that span entity groups are eventually
	// consistent. If we omitted the .Ancestor from this query there would be
	// a slight chance that Greeting that had just been written would not
	// show up in a query.
	q := datastore.NewQuery("Greeting").Ancestor(guestbookKey(c)).Order("-Date").Limit(10)
	greetings := make([]Greeting, 0, 10)
	if _, err := q.GetAll(c, &greetings); err != nil {
		http.Error(w, err.Error(), http.StatusInternalServerError)
	if err := guestbookTemplate.Execute(w, greetings); err != nil {
		http.Error(w, err.Error(), http.StatusInternalServerError)

The sample also uses a second handler that maps the /sign path to sign, and displays the data submitted by the web form:

func sign(w http.ResponseWriter, r *http.Request) {
	c := appengine.NewContext(r)
	g := Greeting{
		Content: r.FormValue("content"),
		Date:    time.Now(),
	if u := user.Current(c); u != nil {
		g.Author = u.String()
	// We set the same parent key on every Greeting entity to ensure each Greeting
	// is in the same entity group. Queries across the single entity group
	// will be consistent. However, the write rate to a single entity group
	// should be limited to ~1/second.
	key := datastore.NewIncompleteKey(c, "Greeting", guestbookKey(c))
	_, err := datastore.Put(c, key, &g)
	if err != nil {
		http.Error(w, err.Error(), http.StatusInternalServerError)
	http.Redirect(w, r, "/", http.StatusFound)

Notice that you get the form data from the sign function by calling r.FormValue.

The form data is passed to guestbookTemplate.Execute and the rendered HTML page is written to http.ResponseWriter.

Finally, notice the use of html/template to automatically filter content to escape HTML special characters. This prevents a class of script injection attacks. For more details on the templating language, see the text/template package documentation.

Send feedback about...

App Engine standard environment for Go