You should be quoting the values you use in your SQL statement. What's
happening is your DB sees the ' or ; in the value and interprets it as
part of the statement, not part of the value. This also opens you up to
SQl injections via malformed values. I recommend using placeholder ?s in
your statement and passing your values asarguments. Read the DBI
documentation for implementation.
RJ
Scott wrote:
I have a web form that we use to submit comments to a database, however
some characters will make the insert fail. For instance usage of ' or ;.
Below is the snipit that handles this, perhaps I could be corrected in the
errors of my ways.
Everything in the DB is varchar except for the comments which is a blob.
Thanks, Scott
Page that handles the input:
------------------------------
<%perl>
if (@_) {
if ((!$_[1]) or (!$_[3])) {
print "ERROR: You missed some required information...<br><br>
You will be returned shortly";
} else {
print "Thank you for your submission,<br><br>
You will be auto-redirected in 5 seconds...";
my $ip = $r->get_remote_host;
my $ua = $r->header_in('User-Agent');
my $ref = $r->header_in('referer');
use Net::SMTP;
use DBI;
my $dsn = 'DBI:mysql:xxxxxx:localhost';
my $dbuser = 'xxxxx';
my $dbpass = 'xxxxxx';
my $dbh = DBI->connect($dsn, $dbuser, $dbpass);
my $name = $_[3];
my $email = $_[1];
my $comment = $_[5];
$dbh->do("insert into email
(name, email, comments, host, agent) values
('$name', '$email', '$comment', '$ip', '$ua')");
my $subject = "xxxxxxxx.net Email Form...";
my $smtp = Net::SMTP->new("xxxx.xxxxx.net");
my $addr = "[EMAIL PROTECTED]";
$smtp->mail($email);
$smtp->to($addr);
$smtp->data();
$smtp->datasend("Subject: $subject \n");
$smtp->datasend("\n");
$smtp->datasend("Name: $name\n\n");
$smtp->datasend("Comment:\n$comment");
$smtp->dataend();
$smtp->quit();
close($smtp)
}
}
</%perl>
---------------------------
Section with form:
---------------------------
} elsif ($source eq "contact") {
print "<center><br><table width='70%'><tr><td>";
print "<form NAME='CONTACT' action='email.ml'>";
print "Name: <input type='text' name='name'
size='50'><font color=red>*</font><br>";
print "Email: <input type='text' name='email'
size='50'><font color=red>*</font><br>";
print "<textarea name='comments' COLS=80 ROWS=25></textarea><br>";
print "<input type='submit' value='Submit Email'>";
print "</td></tr></table></center>";
---------------------------
-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
_______________________________________________
Mason-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/mason-users
-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
_______________________________________________
Mason-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/mason-users
