Re: Re: Using CGI params for SQL statement

Hi all, thanks for your suggestions. My solution is appended below. Passing the hidden field $input solved my problem...
Regards,
Stacy.

use CGI qw(:standard :netscape *table);
use CGI::Carp qw(fatalsToBrowser);
use CGI::Pretty qw( :html3 );
use strict;

my ($order_by,$sql,$order_by_check,$order_by_input);

$sql = qq{SELECT * FROM TABLE}; 

$order_by       = param('order_by');
$order_by_check = param('order_by_check');

if ($order_by) {
  $sql .= " ORDER BY $order_by ";
  if ($order_by_check eq $order_by) {
    $sql .= ' DESC ';
    $order_by_check = $order_by;
  } else {
    $sql .= ' ASC ';
    $order_by_input = "<INPUT TYPE=hidden NAME=order_by_check VALUE=\"
+$order_by\">";
  }
}

print header,
  
  start_html(),
  start_form(),
  
  center(
     start_table(),
     Tr(td(submit('order_by','FAULT_NO',)),
        td(submit('order_by','ISSUE')),
        td(submit('order_by','RESPONSE'))),
     end_table(),
     p($sql),
     $order_by_input,
    ),
  
  end_form(),
  end_html();

exit;
[download]

Comment on Re: Re: Using CGI params for SQL statement Download Code

Replies are listed 'Best First'.
(jeffa) 3Re: Using CGI params for SQL statement by jeffa (Bishop) on Feb 26, 2002 at 18:14 UTC
Instead of relying on user input for the values of the params 'order_by' and 'order_by_check', you should use a lookup table instead. Consider this: the user enters in their own values instead of using the buttons you supply: bar.cgi?order_by=foo&order_by_check=bar Now what? You get a database error. A lookup table is a hash that contains valid keys, the values can be any true value, : `my %lookup = ( FAULT_NO => 'FAULT_NO', ISSUE => 'ISSUE', RESPONSE => 'RESPONSE', ); # task of automating the creation of the hash # is left as an excerise to the reader ;)` [download] Now, instead of just accepting the parameter as is from CGI.pm, you can 'filter' it: `$order_by = $lookup{ param('order_by') }; $order_by_check = $lookup{ param('order_by_check') }; if ($order_by) { ... } ...` [download] When the user enters a value for a field that doesn't exist, the error is treated the same as if the user did not enter any value for a field at all. Works like a charm ... until you want to inform the user of that fact. :( jeffa L-LL-L--L-LL-L--L-LL-L-- -R--R-RR-R--R-RR-R--R-RR B--B--B--B--B--B--B--B-- H---H---H---H---H---H--- (the triplet paradiddle with high-hat)	[reply] [d/l] [select]

Replies are listed 'Best First'.

(jeffa) 3Re: Using CGI params for SQL statement
by jeffa (Bishop) on Feb 26, 2002 at 18:14 UTC

bar.cgi?order_by=foo&order_by_check=bar

my %lookup = (
   FAULT_NO => 'FAULT_NO',
   ISSUE    => 'ISSUE',
   RESPONSE => 'RESPONSE',
);
# task of automating the creation of the hash
# is left as an excerise to the reader ;)
[download]

$order_by       = $lookup{ param('order_by') };
$order_by_check = $lookup{ param('order_by_check') };

if ($order_by) {
   ...
}
...
[download]

jeffa

L-LL-L--L-LL-L--L-LL-L--
-R--R-RR-R--R-RR-R--R-RR
B--B--B--B--B--B--B--B--
H---H---H---H---H---H---
(the triplet paradiddle with high-hat)

[reply]
[d/l]
[select]