Home > Archive > PERL Beginners > December 2004 > Variable Value into MySQL DB
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Variable Value into MySQL DB
|
|
| Diogo Senai 2004-12-27, 3:55 pm |
| Hi guys,
I´m having kind´a problem... Here´s the deal... I´m using CGI so that the
user can, by a browser, type the data that must be recorded into the
database.
I use CGI library to do that... the user type what he wants in the fields,
and these values are sent to some variables... Then, I´d like to record
these variables values in the db... But I just can´t get it done!
I´m using Net::MySQL to do so... when I test the script by writing fixed
values in it, it works fine... but when i try to record variables values
it doesn´t work... could you help me? Here´s my code:
#!/usr/bin/perl
use strict;
use CGI qw/:standard/;
use Net::MySQL;
print header,
start_html('Cadastro de Processos'),
h1('Cadastramento Processos'),
start_form,
"Numero do Processo: ",textfield('process'),br,
"Tipo do Processo: [1-2]",textfield('type'),br,
"Nome do advogado: ",textfield('name'),br,
"Email do advogado: ",textfield('email'),br,
submit,
end_form,
hr,
my $process =param(process);
my $lawyer =param(name);
my $email =param(email);
my $type =param(type);
my $mysql = Net::MySQL->new(
database => 'tj',
user => 'user',
password => 'pass'
);
$mysql->query(q{
INSERT INTO processo (process, name, email, type) VALUES ($process,
$lawyer, $email, $type)
});
| |
| Ron Goral 2004-12-27, 3:55 pm |
|
> -----Original Message-----
> From: diogo.senai@sistemafieg.org.br
> [mailto:diogo.senai@sistemafieg.org.br]
> Sent: Monday, December 27, 2004 12:08 PM
> To: beginners@perl.org
> Subject: Variable Value into MySQL DB
>
>
> Hi guys,
>
> I´m having kind´a problem... Here´s the deal... I´m using CGI so that the
> user can, by a browser, type the data that must be recorded into the
> database.
> I use CGI library to do that... the user type what he wants in the fields,
> and these values are sent to some variables... Then, I´d like to record
> these variables values in the db... But I just can´t get it done!
> I´m using Net::MySQL to do so... when I test the script by writing fixed
> values in it, it works fine... but when i try to record variables values
> it doesn´t work... could you help me? Here´s my code:
> #!/usr/bin/perl
> use strict;
> use CGI qw/:standard/;
> use Net::MySQL;
> print header,
> start_html('Cadastro de Processos'),
> h1('Cadastramento Processos'),
> start_form,
> "Numero do Processo: ",textfield('process'),br,
> "Tipo do Processo: [1-2]",textfield('type'),br,
> "Nome do advogado: ",textfield('name'),br,
> "Email do advogado: ",textfield('email'),br,
> submit,
> end_form,
> hr,
> my $process =param(process);
> my $lawyer =param(name);
> my $email =param(email);
> my $type =param(type);
>
> my $mysql = Net::MySQL->new(
> database => 'tj',
> user => 'user',
> password => 'pass'
> );
>
> $mysql->query(q{
> INSERT INTO processo (process, name, email, type) VALUES ($process,
> $lawyer, $email, $type)
> });
I think you have to quote the param:
my $process =param('process');
my $lawyer =param('name');
my $email =param('email');
my $type =param('type');
HTH
Ron
| |
| Joe Mecklin 2004-12-27, 3:55 pm |
| <answer interspersed below>
On Mon, 27 Dec 2004 16:08:20 -0200 (BRST),
diogo.senai@sistemafieg.org.br <diogo.senai@sistemafieg.org.br> wrote:
> Hi guys,
>=20
> I=B4m having kind=B4a problem... Here=B4s the deal... I=B4m using CGI so =
that the
> user can, by a browser, type the data that must be recorded into the
> database.
> I use CGI library to do that... the user type what he wants in the fields=
,
> and these values are sent to some variables... Then, I=B4d like to record
> these variables values in the db... But I just can=B4t get it done!
> I=B4m using Net::MySQL to do so... when I test the script by writing fixe=
d
> values in it, it works fine... but when i try to record variables values
> it doesn=B4t work... could you help me? Here=B4s my code:
> #!/usr/bin/perl
> use strict;
> use CGI qw/:standard/;
> use Net::MySQL;
> print header,
> start_html('Cadastro de Processos'),
> h1('Cadastramento Processos'),
> start_form,
> "Numero do Processo: ",textfield('process'),br,
> "Tipo do Processo: [1-2]",textfield('type'),br,
> "Nome do advogado: ",textfield('name'),br,
> "Email do advogado: ",textfield('email'),br,
> submit,
> end_form,
> hr,
> my $process =3Dparam(process);
> my $lawyer =3Dparam(name);
> my $email =3Dparam(email);
> my $type =3Dparam(type);
>=20
> my $mysql =3D Net::MySQL->new(
> database =3D> 'tj',
> user =3D> 'user',
> password =3D> 'pass'
> );
>=20
> $mysql->query(q{
> INSERT INTO processo (process, name, email, type) VALUES ($process=
,
> $lawyer, $email, $type)
try enclosing each VALUES variable in double quotes, like so:
.... VALUES ("$process", "$lawyer", "$email", "$type")
i believe each non-numeric value needs to be enclosed in quotes - even
as a variable - and the double quotes will allow for proper
interpolation of the variable's values.
> });
>=20
> --
> To unsubscribe, e-mail: beginners-unsubscribe@perl.org
> For additional commands, e-mail: beginners-help@perl.org
> <http://learn.perl.org/> <http://learn.perl.org/first-response>
>=20
>
| |
| Jonathan Paton 2004-12-27, 8:55 pm |
| > Then, I=B4d like to record these variables values in the db...
> But I just can=B4t get it done!
There is something more important (IMHO) than just having
working code. Your code appears to have no concern for
security, and could be used to compromise your server.
You SHOULD enable Taint checking, warnings (this appears
to have been forgotten) and strict. Some advice may be
found in the docs:
perldoc perlsec
> I=B4m using Net::MySQL to do so...
Reading the documentation for the latest 0.08 (!!!) version that
I can find is uncomfortable. There is no mention of the risk of
SQL code injection, and no apparent means to avoid it.
Is the DBI unsuitable for some reason? By preparing statements
first, using the DBI, you can make code injection impossible.
Sorry to spoil your effort with a word on security. This type of
security issue is common and well known, so you can't rely on
nobody noticing.
Jonathan Paton
--=20
#!perl
$J=3D' 'x25 ;for (qq< 1+10 9+14 5-10 50-9 7+13 2-18 6+13
17+6 02+1 2-10 00+4 00+8 3-13 3+12 01-5 2-10 01+1 03+4
00+4 00+8 1-21 01+1 00+5 01-7 >=3D~/ \S\S \S\S /gx) {m/(
\d+) (.+) /x,, vec$ J,$p +=3D$2 ,8,=3D $c+=3D +$1} warn $J,,
|
|
|
|
|