Robert wrote:
I have a form that is submitting and the url ending is "?position=BSIPL". My form has "method="get"" in it. I have tried it without a method as well.

I have in my CGI:

my $pid = $q->param('position');  # which should now hold BSIPL right?

My SQL is as so:

my $sth = $dbh->prepare("
    SELECT position_id, dstrct_code, authty_type,
        authty_given, authty_sevrty, authty_rule,
        authty_low_lim, orig_ctl_flag, authty_upp_lim
    FROM msf872
    WHERE position_id = ?
");
$sth->execute($pid);

I run the CGI through "perl -cw" as well as having "use strict" and "use warnings". I get no errors but I also get no data back when there is data.

Any suggestions?

Robert



hopefully you would also consider using the -T switch in your cgi and untainting the value of $pid before using it in the database..


$pid =~ /^(\d{1,9})$/ or
        error("invalid PID passed: $pid");
$pid = $1; # $pid is now untainted and DEFINITELY containes a 1-9digit
           # integer only

now you can be sure that the data you're trying to request is what you expect AND that there's no additional jiggery-pokery going on (like people trying to inject sql into your query with

?position="25;delete from SOMETABLE;" or however they do it.

--
Scott R. Godin
Laughing Dragon Services
www.webdragon.net

--
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
<http://learn.perl.org/> <http://learn.perl.org/first-response>




Reply via email to