You need to look at using placeholders. This isn't the correct list for
this, but as a short demonstration, your code really should be written
to do something like:
my $sth = $dbh->prepare(
"insert into email(name, email, comments, host, agent)
values (?,?,?,?,?)"
);
$sth->execute($name, $email, $comment, $ip, $ua);
Go do a 'perldoc DBI', or pick up an SQL introductory text.
BTW, *not* quoting these values also leaves your application succeptible
to SQL injection attacks -- think of what would happen if someone
submitted your form below with a value of:
"','','','','');delete from email;"
for the 'name' field...
HTH.
<Steve>
On Tue, 28 Feb 2006, Scott wrote:
> I have a web form that we use to submit comments to a database, however
> some characters will make the insert fail. For instance usage of ' or ;.
> Below is the snipit that handles this, perhaps I could be corrected in the
> errors of my ways.
>
> Everything in the DB is varchar except for the comments which is a blob.
>
> Thanks, Scott
>
> Page that handles the input:
> ------------------------------
> <%perl>
> if (@_) {
> if ((!$_[1]) or (!$_[3])) {
> print "ERROR: You missed some required information...<br><br>
> You will be returned shortly";
> } else {
> print "Thank you for your submission,<br><br>
> You will be auto-redirected in 5 seconds...";
> my $ip = $r->get_remote_host;
> my $ua = $r->header_in('User-Agent');
> my $ref = $r->header_in('referer');
>
> use Net::SMTP;
> use DBI;
>
> my $dsn = 'DBI:mysql:xxxxxx:localhost';
> my $dbuser = 'xxxxx';
> my $dbpass = 'xxxxxx';
> my $dbh = DBI->connect($dsn, $dbuser, $dbpass);
>
> my $name = $_[3];
> my $email = $_[1];
> my $comment = $_[5];
> $dbh->do("insert into email
> (name, email, comments, host, agent) values
> ('$name', '$email', '$comment', '$ip', '$ua')");
>
> my $subject = "xxxxxxxx.net Email Form...";
> my $smtp = Net::SMTP->new("xxxx.xxxxx.net");
> my $addr = "[EMAIL PROTECTED]";
>
> $smtp->mail($email);
> $smtp->to($addr);
> $smtp->data();
> $smtp->datasend("Subject: $subject \n");
> $smtp->datasend("\n");
> $smtp->datasend("Name: $name\n\n");
> $smtp->datasend("Comment:\n$comment");
> $smtp->dataend();
> $smtp->quit();
> close($smtp)
> }
> }
> </%perl>
>
> ---------------------------
> Section with form:
> ---------------------------
> } elsif ($source eq "contact") {
> print "<center><br><table width='70%'><tr><td>";
> print "<form NAME='CONTACT' action='email.ml'>";
> print "Name: <input type='text' name='name'
> size='50'><font color=red>*</font><br>";
> print "Email: <input type='text' name='email'
> size='50'><font color=red>*</font><br>";
> print "<textarea name='comments' COLS=80 ROWS=25></textarea><br>";
> print "<input type='submit' value='Submit Email'>";
> print "</td></tr></table></center>";
>
> ---------------------------
>
>
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by xPML, a groundbreaking scripting language
> that extends applications into web and mobile media. Attend the live webcast
> and join the prime developer group breaking into this new coding territory!
> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
> _______________________________________________
> Mason-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/mason-users
>
--
Steve Reppucci [EMAIL PROTECTED] |
Logical Choice Software http://logsoft.com/ |
=-=-=-=-=-=-=-=-=-=- My God! What have I done? -=-=-=-=-=-=-=-=-=-=
-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
_______________________________________________
Mason-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/mason-users
