in reply to MySQL confusion
The CGI::param function relies on wantarray to determine the context in which it is called. In your execute statement, it's being called in list context and if either "member" or "goup" can return more than one value, they will. Further, just adding this data to the database without sanity checking is not a good idea. Who knows what values might get in their and whether or not they are correct? Also, you may as well pass $org in as a bind variable. It's more consistent.
Assuming that you have already untainted $org and that "member" and "group" are numeric only (just assuming for illustrative purposes, of course):
my $_member = param( 'member' ); my $_group = param( 'group' ); # untaint #(this was wrong at first. Thanks to tye for catching my stupid err +or) :( my ( $member ) = $_member =~ /^(\d+)$/; my ( $group ) = $_group =~ /^(\d+)$/; my $sql = 'INSERT INTO wbwc_roster(member, group, org) VALUES (?, ?, + ?)'; my $sth = $dbh->prepare( $sql ); $sth->execute( $member, $group, $org ) or die $dbh->errstr;
Something along those lines should solve the problem. However, if either "member" or "group" do legitimately have more than one value, you're losing information.
Cheers,
Ovid
Update: I think I should clarify about the potential security issue here. Let's say your group table is defined like this:
group_id | group_name --------------------- 1 | admin 2 | programmer 3 | quality control 4 | manager
Now let's say that someone on your system can add people to your roster, but isn't allowed to add them to the admin group unless they are already an administrator. Even if the Web page they submit doesn't give them an "admin" group, it's trivial to munge the results to submit a "1" as the group id. Thus, someone can escalate priveleges of the person added to the roster. This may not apply in your case, but it's worth considering. You may need to add much more sanity checking to your code.
Join the Perlmonks Setiathome Group or just click on the the link and check out our stats.
|
|---|