What you should do is create the entry when you process the first form and update the entry when you process the additional forms.

However, that can provide a humunguous security hole for people to explore your database.

Let's say you create the record, as id 1234, and then stick hidden field 1234 into each of the additional forms, to enable updating the records. Then a malicious child might look at the page source, alter the hidden field to values in the range 1..1233, and view information about existing members, or update the data in undesirable ways. It would not be good if someone updates possitive account balances to negative, or vice versa.

Since you say these are questionaires, people should only be on the four pages for a few minutes, no more than an hour or two. I would suggest having one table, for incomplete interviewees, and another, possibly even in a different database, for complete ones.

When someone fills out a form, they get a random number between 1 and a gazillion as a key. When they fill out the additional pages, look up the key in the key_to_memberId table, obtaining the id for their incomplete record, which can now be updated. Random hunting will have limited success, since the key_to_memberId table is very sparsely populated.

Once an hour, a different script checks for complete interview records, and moves them to a different table, in a different database. Now complete records are safe from accidental or malicious web access. At the same time, any incomplete questionaires older than a couple of hours can be deleted, to protect them from snoopers. Don't forget to trim obsolete entries from key_to_memberId.

Now records are only exposed to web probing for a limited time, and access is controlled.

Don't forget to verify the key returning from the web page contains only digits, no '123; rm -rf'.

--
TTTATCGGTCGTTATATAGATGTTTGCA

In reply to Re: Perl and Database Input by TomDLux
in thread Perl and Database Input by Anonymous Monk

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post, it's "PerlMonks-approved HTML":


  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.