in reply to [SOLVED]Bind and fetch fails

The query in databaseLWP.cgi is an INSERT and therefore calling bind_columns on the already executed statement makes no sense. Nor does the subsequent fetch. Have you forgotten to prepare and execute some other SELECT query in the meantime, perhaps?

Replies are listed 'Best First'.
Re^2: Bind and fetch fails
by Eirinya (Novice) on Dec 11, 2015 at 08:45 UTC

    *Updated* I didn't prepare other Select, all that I did for the exercise is in the code posts. I thought about what you said and I thought that probably bind_column was useless because I just wanted print the values of the variables presents in the table and maybe it's not important to bind them to columns so, trying to think in a simpler way, I removed the while cycle and the subsequent fetch replacing them with a simple print of variables.
    I also changed the assigment of keywords inserted in the form html of the first script to the variables in databaseLWP(the script that I'm modifying) in a more correct way, now the reply-page returns the correct valor(except id), but not from table, just from html form, in fact the id value isn't shows.
    At least I found the bug that caused the problem with inclusion of the value in databases and was the mysql syntax in the query(I missed the '' near the names of values), a common beginner mistake, but I also changed the ? with directly name of the variables because if I didn't it the query inserted only ? instead of values.
    With these modifications the script now puts the value in the database but without enough security in my opinion, what do you suggest? 

    
(...)

#prepare the query
my $sql = "INSERT INTO prodotti (nome_prod , tipologia_prod) VALUES ('
+$key_nome_prod' , '$key_tipo_prod' )" ;
my $sth = $dbh->prepare( $sql );
#$sth->bind_param( $key_nome_prod , $key_tipo_prod );

(...)

print "<i>La lista aggiornata dei prodotti presenti nel database negoz
+i è:</i> <br><br>";
print " ==============================================================
+===== <br><br>";


print "<i>Id del prodotto=</i><b> $id_prod </b>,<i> il nome del prodot
+to è</i><b> $key_nome_prod </b> della tipologia $key_ti$

    [download]

[reply]
[d/l]
      but I also changed the ? with directly name of the variables because if I didn't it the query inserted only ? instead of values. With these modifications the script now puts the value in the database but without enough security in my opinion, what do you suggest?

      Don't put quotes around the question marks. If you do they will be treated as string literals. Here's some sample code to get you started:

      my $sql = 'INSERT INTO prodotti (nome_prod , tipologia_prod) VALUES (?
+, ?)' ;
my $sth = $dbh->prepare ($sql);
my $res = $sth->execute ($key_nome_prod, $key_tipo_prod);
die ("Result is $res instead of 1: " . $sth->errstr) unless (defined $
+res && $res == 1);

      [download]

      In order this:

      1. Sets up the SQL statement with 2 placeholders for the data values
      2. Prepares the SQL statement into a statement handle $sth
      3. Executes one insert with the two variables as bound arguments and captures the result
      4. Throws an exception if the result is not as expected

      Constructing the query this way with the bind parameters means that the data from the untrusted source is handled securely by the driver and eliminates the possibility of SQL injection from this direction.

[reply]
[d/l]
[select]

In Section Seekers of Perl Wisdom