Home > Archive > PERL CGI Beginners > January 2005 > bind values and cgi params
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
bind values and cgi params
|
|
| Robert 2005-01-06, 8:55 pm |
| I have a form that is submitting and the url ending is "?position=BSIPL". My
form has "method="get"" in it. I have tried it without a method as well.
I have in my CGI:
my $pid = $q->param('position'); # which should now hold BSIPL right?
My SQL is as so:
my $sth = $dbh->prepare("
SELECT position_id, dstrct_code, authty_type,
authty_given, authty_sevrty, authty_rule,
authty_low_lim, orig_ctl_flag, authty_upp_lim
FROM msf872
WHERE position_id = ?
");
$sth->execute($pid);
I run the CGI through "perl -cw" as well as having "use strict" and "use
warnings". I get no errors but I also get no data back when there is data.
Any suggestions?
Robert
| |
| Paul Archer 2005-01-06, 8:55 pm |
| 2:48pm, Robert wrote:
> I have a form that is submitting and the url ending is "?position=BSIPL". My
> form has "method="get"" in it. I have tried it without a method as well.
>
> I have in my CGI:
>
> my $pid = $q->param('position'); # which should now hold BSIPL right?
>
> My SQL is as so:
>
> my $sth = $dbh->prepare("
> SELECT position_id, dstrct_code, authty_type,
> authty_given, authty_sevrty, authty_rule,
> authty_low_lim, orig_ctl_flag, authty_upp_lim
> FROM msf872
> WHERE position_id = ?
> ");
> $sth->execute($pid);
>
> I run the CGI through "perl -cw" as well as having "use strict" and "use
> warnings". I get no errors but I also get no data back when there is data.
>
> Any suggestions?
>
Have you looked at the value of $pid itself, or just run it through your
SQL? In other words, first figure out if it's the parameter being passed to
your CGI, or if it's your SQL. Don't try to debug both at once.
Paul
| |
| Graeme St. Clair 2005-01-07, 3:55 am |
| You wouldn't by any chance be calling it $pid in one place and $position_id
in another?
DARFC, GStC.
-----Original Message-----
From: Robert [mailto:catcher@linuxmail.org]
Sent: Thursday, January 06, 2005 2:49 PM
To: beginners-cgi@perl.org
Subject: bind values and cgi params
I have a form that is submitting and the url ending is "?position=BSIPL". My
form has "method="get"" in it. I have tried it without a method as well.
I have in my CGI:
my $pid = $q->param('position'); # which should now hold BSIPL right?
My SQL is as so:
my $sth = $dbh->prepare("
SELECT position_id, dstrct_code, authty_type,
authty_given, authty_sevrty, authty_rule,
authty_low_lim, orig_ctl_flag, authty_upp_lim
FROM msf872
WHERE position_id = ?
");
$sth->execute($pid);
I run the CGI through "perl -cw" as well as having "use strict" and "use
warnings". I get no errors but I also get no data back when there is data.
Any suggestions?
Robert
--
To unsubscribe, e-mail: beginners-cgi-unsubscribe@perl.org
For additional commands, e-mail: beginners-cgi-help@perl.org
<http://learn.perl.org/> <http://learn.perl.org/first-response>
| |
| sigzero@gmail.com 2005-01-07, 3:55 pm |
|
Paul Archer wrote:
> 2:48pm, Robert wrote:
>
"?position=BSIPL". My[color=darkred]
well.[color=darkred]
right?[color=darkred]
"use[color=darkred]
is data.[color=darkred]
> Have you looked at the value of $pid itself, or just run it through
your
> SQL? In other words, first figure out if it's the parameter being
passed to
> your CGI, or if it's your SQL. Don't try to debug both at once.
>
> Paul
I have printed out the value for $pid and it is BSIPL. If I take out
the ? and put BSIPL in it works fine. It is only when I try to use it
as a bind value that it doesn't work.
Robert
| |
| Scott R. Godin 2005-01-08, 8:55 pm |
| Robert wrote:
> I have a form that is submitting and the url ending is "?position=BSIPL". My
> form has "method="get"" in it. I have tried it without a method as well.
>
> I have in my CGI:
>
> my $pid = $q->param('position'); # which should now hold BSIPL right?
>
> My SQL is as so:
>
> my $sth = $dbh->prepare("
> SELECT position_id, dstrct_code, authty_type,
> authty_given, authty_sevrty, authty_rule,
> authty_low_lim, orig_ctl_flag, authty_upp_lim
> FROM msf872
> WHERE position_id = ?
> ");
> $sth->execute($pid);
>
> I run the CGI through "perl -cw" as well as having "use strict" and "use
> warnings". I get no errors but I also get no data back when there is data.
>
> Any suggestions?
>
> Robert
>
>
hopefully you would also consider using the -T switch in your cgi and
untainting the value of $pid before using it in the database..
$pid =~ /^(\d{1,9})$/ or
error("invalid PID passed: $pid");
$pid = $1; # $pid is now untainted and DEFINITELY containes a 1-9digit
# integer only
now you can be sure that the data you're trying to request is what you
expect AND that there's no additional jiggery-pokery going on (like
people trying to inject sql into your query with
?position="25;delete from SOMETABLE;" or however they do it.
--
Scott R. Godin
Laughing Dragon Services
www.webdragon.net
|
|
|
|
|