--- "FLAHERTY, JIM-CONT" <[EMAIL PROTECTED]> wrote:
> This is what my error log says on my redhat 7.1
>
> [Sun Sep 16 13:18:33 2001] [error]
> Undefined subroutine &main::redirect called at /var/www/cgi-bin/sobt/add.cgi
> line 38.
>
> [Sun Sep 16 13:18:44 2001] [error] [client 192.168.1.8] Premature end of
> script
>
> here is my code:
>
> $dbh =DBI ->connect($data_source, $username, $password);
> my $sth1 = $dbh -> prepare("insert into
media(serial,name,desc1)values('$serial','$name','$desc1')");
> $sth1 -> execute ;
> #$sth1 -> finish;
>
>
> $dbh->disconnect;
>
> ###
> # re direct page back
> ###
>
> print redirect('sobt_admin.cgi');
&redirect is one of the functions from CGI.pm. If this is what you intended to use,
you'll either
need to import it or declare an object and call it as a method:
use CGI qw/:standard/;
print redirect($someplace);
# or #
use CGI;
my $q = CGI->new;
print $q->redirect($someplace);
I'm extremely concerned about your variables. You don't show yourself using the
DBI::quote
method, so you could be potentially allowing a huge security hole if the data you're
adding is
submitted by a user. Quoting your data or using placeholders should prevent this
security hole:
my $sth1 = $dbh->prepare("insert into media (serial,name,desc1) values(?,?,?)");
$sth1->execute( $serial, $name, $desc1 ) ;
# or #
$serial = $dbh->quote( $serial );
$name= $dbh->quote( $name );
$desc1 = $dbh->quote( $desc1 );
my $sth1 = $dbh->prepare("insert into
media(serial,name,desc1)values($serial,$name,$desc1)");
The reason this is a problem is that many databases allow you to execute multiple SQL
statements
at once. If someone puts a terminating quote mark followed by appropriate input data,
they can
potentially execute arbitrary SQL against the database. Again, placeholders or the
$dbh->quote
method should prevent this.
Cheers,
Curtis "Ovid" Poe
=
Senior Programmer
Onsite! Technology (http://www.onsitetech.com/)
"Ovid" on http://www.perlmonks.org/
__
Terrorist Attacks on U.S. - How can you help?
Donate cash, emergency relief information
http://dailynews.yahoo.com/fc/US/Emergency_Information/
--
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]