bind values and cgi params

I have a form that is submitting and the url ending is "?position=BSIPL". My
form has "method="get"" in it. I have tried it without a method as well.

I have in my CGI:

my $pid = $q->param('position');  # which should now hold BSIPL right?

My SQL is as so:

my $sth = $dbh->prepare("
SELECT position_id, dstrct_code, authty_type,
authty_given, authty_sevrty, authty_rule,
authty_low_lim, orig_ctl_flag, authty_upp_lim
FROM msf872
WHERE position_id = ?
");
$sth->execute($pid);

I run the CGI through "perl -cw" as well as having "use strict" and "use
warnings". I get no errors but I also get no data back when there is data.

Any suggestions?

Robert

2:48pm, Robert wrote:

> I have a form that is submitting and the url ending is "?position=BSIPL". 
My
> form has "method="get"" in it. I have tried it without a method as well.
>
> I have in my CGI:
>
> my $pid = $q->param('position');  # which should now hold BSIPL right?
>
> My SQL is as so:
>
> my $sth = $dbh->prepare("
>    SELECT position_id, dstrct_code, authty_type,
>        authty_given, authty_sevrty, authty_rule,
>        authty_low_lim, orig_ctl_flag, authty_upp_lim
>    FROM msf872
>    WHERE position_id = ?
> ");
> $sth->execute($pid);
>
> I run the CGI through "perl -cw" as well as having "use strict" and "use
> warnings". I get no errors but I also get no data back when there is data.
>
> Any suggestions?
>
Have you looked at the value of $pid itself, or just run it through your
SQL? In other words, first figure out if it's the parameter being passed to
your CGI, or if it's your SQL. Don't try to debug both at once.

Paul

You wouldn't by any chance be calling it $pid in one place and $position_id
in another?

DARFC, GStC.


-----Original Message-----
From: Robert [mailto:catcher@linuxmail.org]
Sent: Thursday, January 06, 2005 2:49 PM
To: beginners-cgi@perl.org
Subject: bind values and cgi params

I have a form that is submitting and the url ending is "?position=BSIPL". My
form has "method="get"" in it. I have tried it without a method as well.

I have in my CGI:

my $pid = $q->param('position');  # which should now hold BSIPL right?

My SQL is as so:

my $sth = $dbh->prepare("
SELECT position_id, dstrct_code, authty_type,
authty_given, authty_sevrty, authty_rule,
authty_low_lim, orig_ctl_flag, authty_upp_lim
FROM msf872
WHERE position_id = ?
");
$sth->execute($pid);

I run the CGI through "perl -cw" as well as having "use strict" and "use
warnings". I get no errors but I also get no data back when there is data.

Any suggestions?

Robert



--
To unsubscribe, e-mail: beginners-cgi-unsubscribe@perl.org
For additional commands, e-mail: beginners-cgi-help@perl.org
<http://learn.perl.org/> <http://learn.perl.org/first-response>

Paul Archer wrote:
> 2:48pm, Robert wrote:
> 
"?position=BSIPL". My 
well. 
right? 
"use 
is data. 
> Have you looked at the value of $pid itself, or just run it through
your
> SQL? In other words, first figure out if it's the parameter being
passed to
> your CGI, or if it's your SQL. Don't try to debug both at once.
>
> Paul

I have printed out the value for $pid and it is BSIPL. If I take out
the ? and put BSIPL in it works fine. It is only when I try to use it
as a bind value that it doesn't work.

Robert

Robert wrote:
> I have a form that is submitting and the url ending is "?position=BSIPL". 
My
> form has "method="get"" in it. I have tried it without a method as well.
>
> I have in my CGI:
>
> my $pid = $q->param('position');  # which should now hold BSIPL right?
>
> My SQL is as so:
>
> my $sth = $dbh->prepare("
>     SELECT position_id, dstrct_code, authty_type,
>         authty_given, authty_sevrty, authty_rule,
>         authty_low_lim, orig_ctl_flag, authty_upp_lim
>     FROM msf872
>     WHERE position_id = ?
> ");
> $sth->execute($pid);
>
> I run the CGI through "perl -cw" as well as having "use strict" and "use
> warnings". I get no errors but I also get no data back when there is data.
>
> Any suggestions?
>
> Robert
>
>

hopefully you would also consider using the -T switch in your cgi and
untainting the value of $pid before using it in the database..

$pid =~ /^(\d{1,9})$/ or
error("invalid PID passed: $pid");
$pid = $1; # $pid is now untainted and DEFINITELY containes a 1-9digit
# integer only

now you can be sure that the data you're trying to request is what you
expect AND that there's no additional jiggery-pokery going on (like
people trying to inject sql into your query with

?position="25;delete from SOMETABLE;" or however they do it.

--
Scott R. Godin
Laughing Dragon Services
www.webdragon.net