I have a form that is submitting and the url ending is "?position=BSIPL". My form has "method="get"" in it. I have tried it without a method as well.
I have in my CGI:
my $pid = $q->param('position'); # which should now hold BSIPL right?
My SQL is as so:
my $sth = $dbh->prepare(" SELECT position_id, dstrct_code, authty_type, authty_given, authty_sevrty, authty_rule, authty_low_lim, orig_ctl_flag, authty_upp_lim FROM msf872 WHERE position_id = ? "); $sth->execute($pid);
I run the CGI through "perl -cw" as well as having "use strict" and "use warnings". I get no errors but I also get no data back when there is data.
Any suggestions?
Robert
hopefully you would also consider using the -T switch in your cgi and untainting the value of $pid before using it in the database..
$pid =~ /^(\d{1,9})$/ or error("invalid PID passed: $pid"); $pid = $1; # $pid is now untainted and DEFINITELY containes a 1-9digit # integer only
now you can be sure that the data you're trying to request is what you expect AND that there's no additional jiggery-pokery going on (like people trying to inject sql into your query with
?position="25;delete from SOMETABLE;" or however they do it.
-- Scott R. Godin Laughing Dragon Services www.webdragon.net
-- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] <http://learn.perl.org/> <http://learn.perl.org/first-response>