in reply to Re^3: Issuing a DELETE statement with DBI
in thread Issuing a DELETE statement with DBI

Where are you getting the scalar from? I used the following to test my statement:

perl -MCGI=param -le "print for param('title')" ?title=foo;title=bar
foo
bar

[download]

To make this into a "really working" attack by injecting keys and values the author didn't foresee, I used this program:

use strict;
use Data::Dumper;
use CGI;

my $q = CGI->new('?title=foo;title=bar;title=injected_key;title=inject
+ed_value');

my $query = { title => $q->param('title') };

print Dumper $query;
__END__
# Outputs:

$VAR1 = {
          'injected_key' => 'injected_value',
          'title' => 'bar'
        };

[download]

Replies are listed 'Best First'.
Re^5: Issuing a DELETE statement with DBI
by kwaping (Priest) on Sep 01, 2006 at 16:59 UTC
    Thank you for your explanation. Here's my code again, modified slightly to remove scalar and to more closely match the OP's model. The results are the same. 
    #!/usr/bin/perl

use strict;
use warnings;

use CGI;

my $cgi = CGI->new();

use Data::Dumper::Simple;
print Dumper($cgi);
my $title = $cgi->param('title');
print $title;
print $/;

__END__

> ./tmp.pl title=foo\;title=user\;bar=
$cgi = bless( {
                '.parameters' => [
                                   'title',
                                   'bar'
                                 ],
                'bar' => [
                           ''
                         ],
                '.charset' => 'ISO-8859-1',
                '.fieldnames' => {},
                'title' => [
                             'foo',
                             'user'
                           ],
                'escape' => 1
              }, 'CGI' );
foo

    [download]

    ---
    It's all fine and dandy until someone has to look at the code.
[reply]
[d/l]
[select]

      Your getting warmer. But you are assigning to a scalar instead of a hash, which makes cgi behave differently. Below is the same assigning to a hash. 

      #!/usr/bin/perl

use strict;
use warnings;

use CGI;

my $cgi = CGI->new();

use Data::Dumper;
print Dumper($cgi);
my $test = { title => $cgi->param('title')};
print Dumper($test);

__END__
$VAR1 = bless( {
                 '.parameters' => [
                                    'title'
                                  ],
                 '.charset' => 'ISO-8859-1',
                 '.fieldnames' => {},
                 'title' => [
                              'hello',
                              'goodbye'
                            ],
                 'escape' => 1
               }, 'CGI' );
Odd number of elements in anonymous hash at hack.pl line 12.
$VAR1 = {
          'title' => 'hello',
          'goodbye' => undef
        };

      [download]

      ___________
      Eric Hodges
[reply]
[d/l]

In Section Seekers of Perl Wisdom