Apache 2.0.46 modperl 1.99-10.dev (CVS snapshot from last night) perl 5.8.0 NetBSD 1.6.1
I've got a form that I'm posting to an MP2 script, and am parsing the output with the following subroutines :
sub hash_post { # returns a hash of all the POST values
my ($r) = shift;
my $post_string = CB::read_post($r); my %rethash = {};
my @bits = split(/&/, $post_string); foreach my $bit (@bits) { $bit =~ /^(.*)=(.*)$/; my $key = CGI::Util::unescape($1); my $value = CGI::Util::unescape($2); $rethash{$key} = $value; } return %rethash; }
CB::read_post() is : sub read_post { use Apache::Filter (); use APR::Bucket (); use APR::Brigade (); use constant IOBUFSIZE => 8192; use Apache::Const -compile => qw(MODE_READBYTES); use APR::Const -compile => qw(SUCCESS BLOCK_READ);
use CGI::Util;
my $r = shift; my $debug = shift || 0;
my @data = (); my $seen_eos = 0; my $filters = $r->input_filters(); my $ba = $r->connection->bucket_alloc; my $bb = APR::Brigade->new($r->pool, $ba);
do { my $rv = $filters->get_brigade($bb, Apache::MODE_READBYTES, APR::BLOCK_READ, IOBUFSIZE); if ($rv != APR::SUCCESS) { return $rv; }
while (!$bb->empty) { my $buf; my $b = $bb->first;
$b->remove;
if ($b->is_eos) { warn "EOS bucket:\n" if $debug; $seen_eos++; last; }
my $status = $b->read($buf); warn "DATA bucket: [$buf]\n" if $debug; if ($status != APR::SUCCESS) { return $status; } push @data, $buf; } $bb->destroy;
} while (!$seen_eos); my $string = join '', @data; return $string; }
The observant will notice that read_post() is pretty-much Stas's code from the mp test scripts, so I figure it's got to be good code (Stas wrote it :) )
This all seems to work quite nicely for the simple form I'm processing, like so :
my %posted_data = CB::hash_post($r); foreach my $key (keys %posted_data) { $vars->{form}->{$key} = $posted_data{$key}; } The %vars gets thrown into template toolkit and as far as I can see, it looks fine, so I _think_ I'm parsing the POST data correctly at this point. But ....
I then want to throw the data at a database insert : CB::submit_training_log($user_id, %posted_data);
sub submit_training_log { my ($user_id,%values) = @_;
# use DBI;
#my $dbh = DBI->connect("DBI:mysql:".$db_name.":".$db_server, $db_user, $db_pass,
{ RaiseError => 1}) or return -1;
my $fields = "user_id"; my $values = "\'".$user_id."\'"; foreach my $key (keys %values) { $fields .= ",$key"; $values .= ",\'".$values{$key}."\'"; } my $insert = "INSERT into training_log ($fields) VALUES ($values)";
logit($log,$insert); # $dbh->disconnect; }
(yes, I need to do lots of safety/sanity/taint checks etc ... )
What I see in the INSERT log message is this :
INSERT into training_log ('user_id','av_hr','distance','time','percent_fat','max_speed','comments',
'time_e3','time_o2','max_power','weather','weight','resting_hr','day',
'mon','time_e1','motivation','fatigue','energy_burnt','max_hr','stress',
'time_e2','time_rec','location','planned_session','av_speed',
'actual_session','HASH(0x8d7be98)','av_power','time_se','soreness',
'sleep','year') VALUES ('1','','','','','','The session was great!','','','','funky','','','25','6','','1','1','','','1','','',
'','','','As per planned session','','','','1','1','2003')
There's a "HASH(0x8d7be98)" in there. That's a problem! Can anyone
see where it might be coming from? All the form variables are
accounted for, so it seems to be coming from nowhere? The onlyplace I can think of is the submit button?
it definitely looks like a thing coming from the HTML page. Do you see it in the POSTed body? before you even parse it?
__________________________________________________________________ Stas Bekman JAm_pH ------> Just Another mod_perl Hacker http://stason.org/ mod_perl Guide ---> http://perl.apache.org mailto:[EMAIL PROTECTED] http://use.perl.org http://apacheweek.com http://modperlbook.org http://apache.org http://ticketmaster.com