Returning values from mysql with cgi

Chaotic Jarod has asked for the wisdom of the Perl Monks concerning the following question:

So I need to return a single line of data in a table called users, it must be based on the name that is inputted through the html page. I must return it into this table. At one point I had it just returning the name but now it just displays the table without error. I'm a new aspiring perl programmer doing this for a term project and trying to go the extra mile. Heres my code.

#!/usr/bin/perl -w
use CGI qw(standard);
use DBI();
use DBD::mysql;
use warnings;
use diagnostics;

my $q = CGI->new;

my $name = $q->param('name');

my $dbh = DBI->connect('dbi:mysql:oncall','webuser','password')
    or die "Connection Error: $DBI::errstr\n";
    my $sth = $dbh->prepare('Select * from users where name = "$name"'
+);
    
    $sth->execute();
    
print $q->header;
    print $q->start_html;
    print "<HTML>\n<HEAD>\n<TITLE>Users scheduled</title>\n</head>\n<B
+ody bgcolor=white\n";
    print "<h1>Users Schedules</h1>\n";
    print "<Table border= 3>\n";
    print "<TR><TH> Name</TH>><TH>On-Call</TH>><TH>Phone Number</th>\n
+";
    my ($name, $day, $phone) = $sth->fetchrow_array();
    print "<tr><td>$name</td><td>$day</td><td>$phone</td>\n";
    
    
    print "</table></body></html>\n";
    $sth->finish();
    $dbh->disconnect();
    exit;
[download]

Comment on Returning values from mysql with cgi Download Code

Replies are listed 'Best First'.
Re: Returning values from mysql with cgi by davido (Cardinal) on Jul 18, 2013 at 05:35 UTC
My previous answer showed you how to do interpolation, and more importantly, how to avoid interpolation by using placeholders. You're still doing interpolation wrong, and more importantly, still not using placeholders. These lines: `my $sth = $dbh->prepare('Select * from users where name = "$name"'); $sth->execute();` [download] Are still wrong, for two reasons. First, because single quotes don't do variable interpolation, even if you embed double quotes within them: `my $var = "Hello"; my $other = '$var world'; # Wrong. my $outro = '"$var" world'; # Still wrong. my $right = "$var world"; # Correct.` [download] This is documented briefly in perlintro: Basic Syntax Overview, and in more detail in perlop. But you don't need interpolation, and shouldn't even be using it, because it's error-prone at best, and unsafe at worst when using it to construct queries. Instead, use placeholders. I showed you how in my previous answer, but your code changed slightly, so I'll demonstrate again, this time in consideration of the modified code: `my $sth = $dbh->prepare( 'SELECT * FROM users WHERE name = ?' ); $sth->execute( $name );` [download] I referred you earlier to the documentation for DBI. This time I'll link to the exact section within that document where you should focus your reading: Placeholders and Bind Values Dave	[reply] [d/l] [select]
Re^2: Returning values from mysql with cgi by Chaotic Jarod (Novice) on Jul 18, 2013 at 13:26 UTC
Thanks a lot, I didn't notice your last post, still trying to get used to the layout of the site, sorry about that.	[reply]
Re: Returning values from mysql with cgi by poj (Abbot) on Jul 18, 2013 at 06:03 UTC
I assume you can fix this from the replies to your previous posts. As you code gets more complex, you will find it easier to debug if you organise the code as far as possible into logical self contained blocks e.g. separate the data preparation from the data display. The odd comment line helps too. Like this use strict; use warnings; use diagnostics; use CGI qw(standard); #use CGI::Carp 'fatalsToBrowser'; use DBI(); use DBD::mysql; # input parameters my $q = CGI->new; my $name = $q->param('name'); # prepare data my $dbh = DBI->connect('dbi:mysql:oncall','webuser','password') or die "Connection Error: $DBI::errstr"; my $sql = 'SELECT name,day,phone FROM users WHERE name = ?'; my $sth = $dbh->prepare($sql); $sth->execute($name); my ($name, $day, $phone) = $sth->fetchrow_array(); $sth->finish(); $dbh->disconnect(); # display data print $q->header; print $q->start_html( -title=>'Users Schedules' ); # use here-doc for html print <<HTML; <h1>Users Schedules</h1> <table border="3" cellpadding="5"> <tr> <th>Name</th> <th>On-Call</th> <th>Phone Number</th> </tr> <tr> <td>$name</td> <td>$day</td> <td>$phone</td> </tr> </table> HTML # if the result is not what you expected # add a debug line to show what the # database is being asked to do print "<hr/><tt>SQL=[$sql] : ?=[$name]</tt>"; print $q->end_html; [download] poj	[reply] [d/l]
Re: Returning values from mysql with cgi by Anonymous Monk on Jul 18, 2013 at 00:37 UTC
See Re^3: Question about this simple CGI and Re: MySql in cgi and use more Basic debugging checklist	[reply]