The *most* important missing element is using placeholders in the SQL ie 'INSERT INTO foo VALUES(?,?)'. As your code stands it is totally open to injection as I can pass any values and you don't check those values and you interpolate them directly. Your code is pretty much as insecure as it is possible to be. Placeholders will do the quoting and fix this. I recommend A short guide to DBI. You should also read Ovids CGI tutorial. This is how you might well write it in a few weeks/months.... 

#!/usr/bin/perl -wT

use strict;
use DBI;
use CGI;
use POSIX 'strftime';

my $database  = "database";
my $db_server = "localhost";
my $user      = "user";
my $password  = "password";
my $redirect  = 'http://www.yourname.com/index.html';
my @fields = qw(
    state       city        locationname    referencename       lat_de
+g
    lat_min     lat_sec     long_deg        long_min            long_s
+ec 
    xcoord      ycoord      ttime           level               radar
    laser       vascar      airplane        photo               roadbl
+ock
    unknown     comments    email           name                date_a
+dded
);

my $q = CGI->new();
my %INPUT = $q->Vars;

$INPUT{$_} ||= '' for @fields;
$INPUT{$_} ||= 'false' for qw( radar laser vascar airplane photo roadb
+lock unknown );

$INPUT{'date_added'} = strftime("%A, %B %d, %Y at %H:%M:%S", localtime
+() );

my $dbh = DBI->connect("DBI:mysql:$database:$db_server", $user, $passw
+ord);
my $sql = 'INSERT INTO speedtrap (' . ( join ',', @fields ) . ') ' .
          'VALUES (' . ( join ',', ('?') x scalar(@fields) ) . ')';
$dbh->do( $sql, @INPUT{@fields} );
$dbh->disconnect;

print $q->redirect($redirect);

[download]

I hope this shows you a few things. I would however suggest you store epoch time ie the 32 bit integer you get from time() in your database. It makes extracting data between two dates much easier and takes up much less room. If is trivial to format it into a nice string for output. You should validate data before you stuff it into your database or you will accumulate rubbish, better it never gets there in the first place.

cheers

tachyon

In reply to Re: Hacker Proofing My First Script by tachyon
in thread Hacker Proofing My First Script by awohld

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post, it's "PerlMonks-approved HTML":


  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.