comment on

tachyon, as usual, is right on. I have learned, from hanging out at the monastery, that it is indeed what you DO with what you get from the user that is key. I asked a similar question back in July, as a novice.

Just to wet your appetite, here's an example of using placeholders when INSERTing or UPDATEing a MySQL db (and yes, you will find many examples with a Super Search).

$sth = $dbh->prepare ("INSERT INTO testimonial VALUES(?,?,?,?,?)") 
   or die "prepare: $stmt: $DBI::errstr";
$sth->execute ('',$name, $email, $testimonial,'') 
   or die "execute: $stmt: $DBI::errstr";
[download]

Or a cool way of handing lots of input destined for a large record (learned this here at the monastery from hardburn at this node):

my %sql_data = (
   id          => "",
   aptname     => $query->param('aptname'), 
   aptnumber   => $query->param('aptnumber'),     
   available   => $query->param('available'),        
   onwaiting   => $query->param('waitinglist'),        
   appliedfor  => $query->param('occupied'),            
   applicant   => $query->param('occupantname'),        
   description => $query->param('aptdescription'),
);
        
my $sql = q/INSERT INTO apartments (/.join(',', keys %sql_data).q/) 
   VALUES (/.join(',', ('?') x keys %sql_data).q/)/;
   
$sth = $dbh->prepare($sql) or die "prepare: $stmt: $DBI::errstr";
$sth->execute(values %sql_data) or die "execute: $stmt: $DBI::errstr";
[download]

And one last example to show it working with UPDATE:

$sth = $dbh->prepare ("UPDATE testimonial SET 
   name     = ?,
   email    = ?, 
   quote    = ?,    
   approved = ? WHERE id = $id") or die "prepare: $stmt: $DBI::errstr"
+;
        
$sth->execute ($name, $email, $testimonial, $approved) 
   or die "execute: $stmt: $DBI::errstr";
[download]

Untainting is a must when going outside your script with a shell, or opening a file, but not as necessary when simply writing to a db. HOWEVER, I have gotten in the habit of untainting all user input as I read it in. And I kill two birds by validating it and possibly producing an error message at the same time. Once you get a module set up, it's easy. Here's a taste:

use Validate;
my (@errors);
my $name = Validate->alphanum ($query->param('name'));
   push @errors, "Empty or invalid characters in Name\n" unless $name;

if (@errors) { ...do something... }
[download]

and a piece of my module:

package Validate;
sub alphanum {
   my ($class, $value) = @_;
   return unless $value =~ /^([A-Za-z0-9 -]*)$/;
   return "$1";
}
1;
[download]

And finally, if you haven't heard it already, the mantra around here is "Never, never trust user input." Good luck and safe flying.

—Brad
"A little yeast leavens the whole dough."

In reply to Re: Perl cgi question by bradcathey
in thread Perl cgi question by Anonymous Monk

Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!

Titles consisting of a single word are discouraged, and in most cases are disallowed outright.

Read Where should I post X? if you're not absolutely sure you're posting in the right place.

Please read these before you post! —

Posts may use any of the Perl Monks Approved HTML tags:

a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr

You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)

	For:		Use:
	&		`&`
	<		`<`
	>		`>`
	[		`[`
	]		`]`

Link using PerlMonks shortcuts! What shortcuts can I use for linking?

See Writeup Formatting Tips and other pages linked from there for more info.