The CGI::param function relies on wantarray to determine the context in which it is called. In your execute statement, it's being called in list context and if either "member" or "goup" can return more than one value, they will. Further, just adding this data to the database without sanity checking is not a good idea. Who knows what values might get in their and whether or not they are correct? Also, you may as well pass $org in as a bind variable. It's more consistent.

Assuming that you have already untainted $org and that "member" and "group" are numeric only (just assuming for illustrative purposes, of course):

  my $_member  = param( 'member' );
  my $_group   = param( 'group' );

  # untaint 
  #(this was wrong at first.  Thanks to tye for catching my stupid err
+or) :(
  my ( $member ) = $_member =~ /^(\d+)$/;
  my ( $group )  = $_group  =~ /^(\d+)$/;

  my $sql = 'INSERT INTO wbwc_roster(member, group, org) VALUES (?, ?,
+ ?)';
  my $sth = $dbh->prepare( $sql );
  $sth->execute( $member, $group, $org ) or die $dbh->errstr;

[download]

Something along those lines should solve the problem. However, if either "member" or "group" do legitimately have more than one value, you're losing information.

Cheers,
Ovid

Update: I think I should clarify about the potential security issue here. Let's say your group table is defined like this:

group_id | group_name
---------------------
1        | admin
2        | programmer
3        | quality control
4        | manager

[download]

Now let's say that someone on your system can add people to your roster, but isn't allowed to add them to the admin group unless they are already an administrator. Even if the Web page they submit doesn't give them an "admin" group, it's trivial to munge the results to submit a "1" as the group id. Thus, someone can escalate priveleges of the person added to the roster. This may not apply in your case, but it's worth considering. You may need to add much more sanity checking to your code.

Join the Perlmonks Setiathome Group or just click on the the link and check out our stats.

In reply to Re: MySQL confusion (security hole?) by Ovid
in thread MySQL confusion by andrew

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post, it's "PerlMonks-approved HTML":


  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.