Code Comments

Programming Forum and web based access to our favorite programming groups.
For Programmers: Free Programming Magazines | New: Database administration forum
Registration is free! Edit your profileCalendarFind other membersFrequently Asked QuestionsSearch -> 
Code Comments > PERL > PERL Beginners >

Variable Value into MySQL DB


Post New Thread











Thread
Author
Variable Value into MySQL DB
Hi guys,

I´m having kind´a problem... Here´s the deal... I´m using CGI so that the
user can, by a browser, type the data that must be recorded into the
database.
I use CGI library to do that... the user type what he wants in the fields,
and these values are sent to some variables... Then, I´d like to record
these variables values in the db... But I just can´t get it done!
I´m using Net::MySQL to do so... when I test the script by writing fixed
values in it, it works fine... but when i try to record variables values
it doesn´t work... could you help me? Here´s my code:
#!/usr/bin/perl
use strict;
use CGI qw/:standard/;
use Net::MySQL;
print header,
start_html('Cadastro de Processos'),
h1('Cadastramento Processos'),
start_form,
"Numero do Processo: ",textfield('process'),br,
"Tipo do Processo: [1-2]",textfield('type'),br,
"Nome do advogado: ",textfield('name'),br,
"Email do advogado: ",textfield('email'),br,
submit,
end_form,
hr,
my $process =param(process);
my $lawyer =param(name);
my $email =param(email);
my $type =param(type);

my $mysql = Net::MySQL->new(
database => 'tj',
user     => 'user',
password => 'pass'
);

$mysql->query(q{
INSERT INTO processo (process, name, email, type) VALUES ($process,
$lawyer, $email, $type)
});

Report this thread to moderator Post Follow-up to this message
Old Post
Diogo Senai
12-27-04 08:55 PM

RE: Variable Value into MySQL DB

> -----Original Message-----
> From: diogo.senai@sistemafieg.org.br
> [mailto:diogo.senai@sistemafieg.org.br]
> Sent: Monday, December 27, 2004 12:08 PM
> To: beginners@perl.org
> Subject: Variable Value into MySQL DB
>
>
> Hi guys,
>
> I´m having kind´a problem... Here´s the deal... I´m using CGI so that the
> user can, by a browser, type the data that must be recorded into the
> database.
> I use CGI library to do that... the user type what he wants in the fields,
> and these values are sent to some variables... Then, I´d like to record
> these variables values in the db... But I just can´t get it done!
> I´m using Net::MySQL to do so... when I test the script by writing fixed
> values in it, it works fine... but when i try to record variables values
> it doesn´t work... could you help me? Here´s my code:
> #!/usr/bin/perl
> use strict;
> use CGI qw/:standard/;
>  use Net::MySQL;
> print header,
>         start_html('Cadastro de Processos'),
>         h1('Cadastramento Processos'),
>         start_form,
>         "Numero do Processo: ",textfield('process'),br,
>         "Tipo do Processo: [1-2]",textfield('type'),br,
>         "Nome do advogado: ",textfield('name'),br,
>         "Email do advogado: ",textfield('email'),br,
>         submit,
>         end_form,
>         hr,
> my $process =param(process);
> my $lawyer =param(name);
> my $email =param(email);
> my $type =param(type);
>
>   my $mysql = Net::MySQL->new(
>       database => 'tj',
>       user     => 'user',
>       password => 'pass'
>   );
>
>    $mysql->query(q{
>        INSERT INTO processo (process, name, email, type) VALUES ($process,
> $lawyer, $email, $type)
>    });

I think you have to quote the param:

my $process =param('process');
my $lawyer =param('name');
my $email =param('email');
my $type =param('type');

HTH
Ron

Report this thread to moderator Post Follow-up to this message
Old Post
Ron Goral
12-27-04 08:55 PM

Re: Variable Value into MySQL DB
<answer interspersed below>


On Mon, 27 Dec 2004 16:08:20 -0200 (BRST),
diogo.senai@sistemafieg.org.br <diogo.senai@sistemafieg.org.br> wrote:
> Hi guys,
>=20
> I=B4m having kind=B4a problem... Here=B4s the deal... I=B4m using CGI so =
that the
> user can, by a browser, type the data that must be recorded into the
> database.
> I use CGI library to do that... the user type what he wants in the fields=
,
> and these values are sent to some variables... Then, I=B4d like to record
> these variables values in the db... But I just can=B4t get it done!
> I=B4m using Net::MySQL to do so... when I test the script by writing fixe=
d
> values in it, it works fine... but when i try to record variables values
> it doesn=B4t work... could you help me? Here=B4s my code:
> #!/usr/bin/perl
> use strict;
> use CGI qw/:standard/;
>  use Net::MySQL;
> print header,
>         start_html('Cadastro de Processos'),
>         h1('Cadastramento Processos'),
>         start_form,
>         "Numero do Processo: ",textfield('process'),br,
>         "Tipo do Processo: [1-2]",textfield('type'),br,
>         "Nome do advogado: ",textfield('name'),br,
>         "Email do advogado: ",textfield('email'),br,
>         submit,
>         end_form,
>         hr,
> my $process =3Dparam(process);
> my $lawyer =3Dparam(name);
> my $email =3Dparam(email);
> my $type =3Dparam(type);
>=20
>   my $mysql =3D Net::MySQL->new(
>       database =3D> 'tj',
>       user     =3D> 'user',
>       password =3D> 'pass'
>   );
>=20
>    $mysql->query(q{
>        INSERT INTO processo (process, name, email, type) VALUES ($process=
,
> $lawyer, $email, $type)

try enclosing each VALUES variable in double quotes, like so:

... VALUES ("$process", "$lawyer", "$email", "$type")

i believe each non-numeric value needs to be enclosed in quotes - even
as a variable - and the double quotes will allow for proper
interpolation of the variable's values.

>    });
>=20
> --
> To unsubscribe, e-mail: beginners-unsubscribe@perl.org
> For additional commands, e-mail: beginners-help@perl.org
> <http://learn.perl.org/> <http://learn.perl.org/first-response>
>=20
>

Report this thread to moderator Post Follow-up to this message
Old Post
Joe Mecklin
12-27-04 08:55 PM

Re: Variable Value into MySQL DB
> Then, I=B4d like to record these variables values in the db...
> But I just can=B4t get it done!

There is something more important (IMHO) than just having
working code.  Your code appears to have no concern for
security, and could be used to compromise your server.

You SHOULD enable Taint checking, warnings (this appears
to have been forgotten) and strict.  Some advice may be
found in the docs:

perldoc perlsec

> I=B4m using Net::MySQL to do so...

Reading the documentation for the latest 0.08 (!!!) version that
I can find is uncomfortable.  There is no mention of the risk of
SQL code injection, and no apparent means to avoid it.

Is the DBI unsuitable for some reason?  By preparing statements
first, using the DBI, you can make code injection impossible.

Sorry to spoil your effort with a word on security.  This type of
security issue is common and well known, so you can't rely on
nobody noticing.

Jonathan Paton

--=20
#!perl
$J=3D' 'x25 ;for (qq< 1+10 9+14 5-10 50-9 7+13 2-18 6+13
17+6 02+1 2-10 00+4 00+8 3-13 3+12 01-5 2-10 01+1 03+4
00+4 00+8 1-21 01+1 00+5 01-7 >=3D~/ \S\S \S\S /gx) {m/(
\d+) (.+) /x,, vec$ J,$p +=3D$2 ,8,=3D $c+=3D +$1} warn $J,,

Report this thread to moderator Post Follow-up to this message
Old Post
Jonathan Paton
12-28-04 01:55 AM

Sponsored Links



Last Thread Next Thread Next
Search this forum -> 
Post New Thread

PERL Beginners archive

Show a Printable Version Send to friend Email This Page to Someone! subscribe to this thread Receive updates to this thread
Computer Consultants
Programming Jobs
Visual Basic Controls
SQL Server Programming
Webservices
Java Security
Visual Studio
C# Programming
Visual J++
Software engineering
Open source Software
Perl Programming
PHP Programming
ASP Programming
ASP .NET Programming
Visual Basic Programming
Windows Scripting Host
Java Programming
Java Help
Java Beans
VBScript
Cobol
MAC Applications
Unix Programming
Forum Jump:
All times are GMT. The time now is 08:24 AM.

 
Free MCSE Braindumps | Real Estate Topics
Programming forum archive

Copyrights CodeComments.com 2004 - 2006

Powered by vBulletin Copyright 2000-2006 Jelsoft Enterprises Limited.