Perl Param

Aymiee has asked for the wisdom of the Perl Monks concerning the following question:

Okay, so I have fetched some data from a SQL Server. I am taking the value and placing it in a html select box.

SystemName: <select name="system" > 
while ($pointer=$sth->fetchrow_arrayref)
   {       
    $id = $pointer[0];
    $s=$pointer[1];
    $name=$$pointer[2];
  print "<option value=".$name.">$name";
   }
[download]

The $name holds this value ="Doe, John". When I call it from another page using param('system'), I am only getting "Doe,". "John" does not get concatenated with the name. HOWEVER, if I do hard code the name in the value:

SystemName: <select name="system" >
while ($pointer=$sth->fetchrow_arrayref)
   {       
    $id = $pointer[0];
    $s=$pointer[1];
    $name=$$pointer[2];
  print "<option value="Doe, John">$name";
   }
[download]

and call it from param('system'), then I get value = "Doe, John". Does anyone know why passing a string from a array does not get escaped correclty vs passing a hardcoded string?

Comment on Perl Param Select or Download Code

Replies are listed 'Best First'.
Re: Perl Param by bart (Canon) on Apr 23, 2005 at 05:14 UTC
You really ought to escape the contents of whatever you pull out of the database and put into these attributes. By lack of quotes, you already experienced one way it can go wrong. But what if the database field contains a quote? Or an ampersand? As a contrived example, set `$name = 'buy&trade&copy&paste" style="color:red'; print qq(<html><form>\n); print qq(<input name="oops" value="$name">$name\n); print qq(<br><input type="submit"></form></html>\n);` [download] and display the result in a browser. Oops. I gave one piece of code that solves this problem in a post from yesterday, Re: converting utf-8 to ISO-8859-1. If you don't have the UTF-8 problem, and I bet you don't, replace the first line in `sub escape`, the statement with pack, with a plain and simple `my $s = shift;` [download]	[reply] [d/l] [select]
Re: Perl Param by tlm (Prior) on Apr 23, 2005 at 04:31 UTC
Try this: `print qq(<option value="$name">$name</option>);` [download] the lowliest monk	[reply] [d/l]
Re^2: Perl Param by Aymiee (Initiate) on Apr 23, 2005 at 04:35 UTC
tlm, that was it!!! an oversight on my newbie brain!! Thank you	[reply]