in reply to Perl cgi question
$sth = $dbh->prepare ("INSERT INTO testimonial VALUES(?,?,?,?,?)") or die "prepare: $stmt: $DBI::errstr"; $sth->execute ('',$name, $email, $testimonial,'') or die "execute: $stmt: $DBI::errstr";
And one last example to show it working with UPDATE:my %sql_data = ( id => "", aptname => $query->param('aptname'), aptnumber => $query->param('aptnumber'), available => $query->param('available'), onwaiting => $query->param('waitinglist'), appliedfor => $query->param('occupied'), applicant => $query->param('occupantname'), description => $query->param('aptdescription'), ); my $sql = q/INSERT INTO apartments (/.join(',', keys %sql_data).q/) VALUES (/.join(',', ('?') x keys %sql_data).q/)/; $sth = $dbh->prepare($sql) or die "prepare: $stmt: $DBI::errstr"; $sth->execute(values %sql_data) or die "execute: $stmt: $DBI::errstr";
Untainting is a must when going outside your script with a shell, or opening a file, but not as necessary when simply writing to a db. HOWEVER, I have gotten in the habit of untainting all user input as I read it in. And I kill two birds by validating it and possibly producing an error message at the same time. Once you get a module set up, it's easy. Here's a taste:$sth = $dbh->prepare ("UPDATE testimonial SET name = ?, email = ?, quote = ?, approved = ? WHERE id = $id") or die "prepare: $stmt: $DBI::errstr" +; $sth->execute ($name, $email, $testimonial, $approved) or die "execute: $stmt: $DBI::errstr";
and a piece of my module:use Validate; my (@errors); my $name = Validate->alphanum ($query->param('name')); push @errors, "Empty or invalid characters in Name\n" unless $name; if (@errors) { ...do something... }
And finally, if you haven't heard it already, the mantra around here is "Never, never trust user input." Good luck and safe flying.package Validate; sub alphanum { my ($class, $value) = @_; return unless $value =~ /^([A-Za-z0-9 -]*)$/; return "$1"; } 1;
|
|---|