www.webdeveloper.com
Results 1 to 15 of 15

Thread: Somebody check my code please?

  1. #1
    Join Date
    Mar 2009
    Location
    Minnesota
    Posts
    8

    Somebody check my code please?

    I was given a project to create a simple HTML registration form in which the data is validated using Javascript. It is then validated on the server side using Perl before being sent to a mySQL database. This is my first time using Perl so I would appreciate some expert feedback. Have I gotten this right? Any productive feedback will be greatly appreciated. Thanks.






    (Here is my SQL database named db_register.sql)





    CREATE DATABASE db_register;

    USE db_register;

    CREATE TABLE contact (
    fname VARCHAR(20),
    lname VARCHAR(20),
    address VARCHAR(30),
    city VARCHAR(20),
    state VARCHAR(2),
    zip SMALLINT(5),
    phone VARCHAR(12),
    email VARCHAR(30) NOT NULL,
    PRIMARY KEY(email)
    );







    (Here is my code named register.cgi)





    sub display_form
    {
    my $error_message = shift;
    my $fname = shift;
    my $lname = shift;
    my $address = shift;
    my $city = shift;
    my $state = shift;
    my $zip = shift;
    my $phone = shift;
    my $email = shift;

    # Remove and potentially malicious HTML tags
    $fname =~ s/<([^>]|\n)*>//g;
    $lname =~ s/<([^>]|\n)*>//g;
    $address =~ s/<([^>]|\n)*>//g;
    $city =~ s/<([^>]|\n)*>//g;
    $state =~ s/<([^>]|\n)*>//g;
    $zip =~ s/<([^>]|\n)*>//g;
    $phone =~ s/<([^>]|\n)*>//g;
    $email =~ s/<([^>]|\n)*>//g;

    #Display the form
    print <<END_HTML;
    <html>

    <head>
    <title>Newsletter Registration Form</title>
    </head>

    <body>

    <script type="text/javascript">
    <!--

    function validate_form ( )
    {
    valid = true;

    // validate name fields
    if ( document.registration_form.fname.value == "" )
    {
    alert ( "Please fill in the 'First Name' box." );
    valid = false;
    }
    if ( document.registration_form.lname.value == "" )
    {
    alert ( "Please fill in the 'Last Name' box." );
    valid = false;
    }

    // validate address field
    if ( document.registration_form.address.value == "" )
    {
    alert ( "Please fill in the 'Address' box." );
    valid = false;
    }

    // validate city field
    if ( document.registration_form.city.value == "" )
    {
    alert ( "Please fill in the 'City' box." );
    valid = false;
    }

    // validate state field
    if ( document.registration_form.state.value == "" )
    {
    alert ( "Please fill in the 'State' box." );
    valid = false;
    }

    // validate zip field
    if ( document.registration_form.zip.value == "" )
    {
    alert ( "Please fill in the 'Zip' box." );
    valid = false;
    }
    else if ( isNaN( document.registration_form.zip.value ) )
    {
    alert ( "Please enter a 5-digit zip code." );
    valid = false;
    }

    // validate phone field
    if ( document.registration_form.phone.value == "" )
    {
    alert ( "Please fill in the 'Phone' box." );
    valid = false;
    }
    else if ( isNaN( document.registration_form.phone.value ) )
    {
    alert ( "Please enter a 10-digit phone number." );
    valid = false;
    }

    // validate email field
    var emailFilter=/^.+@.+\..{2,3}$/;
    if ( document.registration_form.email.value == "" )
    {
    alert ( "Please fill in the 'Email' box." );
    valid = false;
    }
    else if (!(emailFilter.test(document.registration_form.email.value))) {
    alert ("Please enter a valid email address.");
    valid = false;
    }

    if ( valid == true )
    {
    alert ("Thank you for registering." );
    }

    return valid;
    }

    //-->
    </script>

    <h1>Newsletter Registration Form</h1>
    <p>$error_message</p>
    <FORM NAME="registration_form" ACTION="form_validation.cgi" METHOD="POST" onsubmit="return validate_form();">

    <table border="3" width="100%" bgcolor="#D5D5FF" bordercolor="blue" cellspacing="0">
    <tr>
    <td width="30%" align="right"><b>First Name:</b></td>
    <td width="70%"><INPUT TYPE="text" NAME="fname" VALUE="$fname" SIZE=40></td>
    </tr>
    <tr>
    <td width="30%" align="right"><b>Last Name:</b></td>
    <td width="70%"><INPUT TYPE="text" NAME="lname" VALUE="$lname" SIZE=40></td>
    </tr>
    <tr>
    <td width="30%" align="right"><b>Address:</b></td>
    <td width="70%"><INPUT TYPE="text" NAME="address" VALUE="$address" SIZE=40></td>
    </tr>
    <tr>
    <td width="30%" align="right"><b>City:</b></td>
    <td width="70%"><INPUT TYPE="text" NAME="city" VALUE="$city" SIZE=40></td>
    </tr>
    <tr>
    <td width="30%" align="right"><b>State:</b></td>
    <td width="70%"><INPUT TYPE="text" NAME="state" VALUE="$state" SIZE=2 MAXLENGTH="2"></td>
    </tr>
    <tr>
    <td width="30%" align="right"><b>Zip:</b></td>
    <td width="70%"><INPUT TYPE="text" NAME="zip" VALUE="$zip" SIZE=5 MAXLENGTH="5"></td>
    </tr>
    <tr>
    <td width="30%" align="right"><b>Phone:</b><br>Do not include () or -</td>
    <td width="70%"><INPUT TYPE="text" NAME="phone" VALUE="$phone" SIZE=10 MAXLENGTH=10></td>
    </tr>
    <tr>
    <td width="30%" align="right"><b>Email:</b></td>
    <td width="70%"><INPUT TYPE="text" NAME="email" VALUE="$email" SIZE=40></td>
    </tr>
    </table>
    <br>
    <hr size="2" color="blue">
    <center>
    <INPUT TYPE="submit" VALUE="Submit Data">
    <INPUT TYPE="reset" VALUE="Clear Data">
    </center>
    </FORM>
    </body></html>

    END_HTML
    }

    sub validate_form
    {
    my $fname = $query->param("fname");
    my $lname = $query->param("lname");
    my $address = $query->param("address");
    my $city = $query->param("city");
    my $state = $query->param("state");
    my $zip = $query->param("zip");
    my $phone = $query->param("phone");
    my $email = $query->param("email");

    my $error_message = "";

    $error_message .= "Please enter your first name<br/>" if ( !$fname );
    $error_message .= "Please enter your last name<br/>" if ( !$lname );
    $error_message .= "Please enter your address<br/>" if ( !$address );
    $error_message .= "Please enter your city<br/>" if ( !$city );
    $error_message .= "Please enter your state<br/>" if ( !$state );
    $error_message .= "Please enter your zip<br/>" if ( !$zip );
    $error_message .= "Please enter your phone<br/>" if ( !$phone );
    $error_message .= "Please enter your email<br/>" if ( !$email );

    if ( $error_message )
    {
    # Errors with the form - redisplay it and return failure
    display_form ( $error_message, $fname, $lname, $address, $city, $state, $zip, $phone, $email );
    return 0;
    }
    else
    {
    # Form OK - return success
    return 1;
    }
    }

    #!/usr/bin/perl

    use warnings;
    use CGI;
    use CGI::Carp qw(fatalsToBrowser);
    use DBI;

    # Connection to CGI and Database
    $q = new CGI;
    $dbh = DBI->connect('dbi:mysql:database=db_register','','',{RaiseError=>1});

    # Output the HTTP header
    print $q->header ();

    # Process form if submitted; otherwise display it
    if ( $q->param("submit") )
    {
    process_form();
    }
    else
    {
    display_form();
    }

    sub process_form
    {
    if ( validate_form () )
    {
    # Insert form elements into database
    my $sql= $dbh->prepare('INSERT INTO contact(fname,lname,address,city,state,zip,phone,email)
    values("$fname","$lname","$address","$city","$state","$zip","$phone","$email")');

    $sql->execute();

    # Finish database connection
    $dbh->disconnect if $dbh;

    # Display Thank You page
    print <<END_HTML;
    <html><head><title>Thank You</title></head>
    <body>
    Thank you for registering!
    </body></html>
    END_HTML
    }
    }

  2. #2
    Join Date
    Mar 2009
    Location
    Minnesota
    Posts
    8
    I think I already caught one minor error. In the sub "validate_form" I'm using a variable named $query but below when I create a new CGI object I named it $q. These need to match.

  3. #3
    Join Date
    Mar 2009
    Location
    Minnesota
    Posts
    8
    Does the sub process_form need to exist before it's being called upon?

  4. #4
    Join Date
    Oct 2007
    Location
    Vienna, Austria
    Posts
    391
    And how about using the &#91;code&#93; tags? It would be so much easier to read then.

  5. #5
    Join Date
    Mar 2009
    Location
    Minnesota
    Posts
    8
    Sorry about that. New to the forum and didn't know the etiquette.

    db_register.sql

    Code:
    CREATE DATABASE db_register;
    
    USE db_register;
    
    CREATE TABLE contact (
      fname VARCHAR(20) NOT NULL,
      lname VARCHAR(20) NOT NULL,
      address VARCHAR(30),
      city VARCHAR(20),
      state VARCHAR(2),
      zip SMALLINT(5),
      phone VARCHAR(12),
      email VARCHAR(30) NOT NULL,
      PRIMARY KEY(email)
    );
    register.cgi

    Code:
    sub display_form
    {
    	my $error_message = shift;
    	my $fname = shift;
    	my $lname = shift;
    	my $address = shift;
    	my $city = shift;
    	my $state = shift;
    	my $zip = shift;
    	my $phone = shift;
    	my $email = shift;
    
    	# Remove and potentially malicious HTML tags
    	$fname =~ s/<([^>]|\n)*>//g;
    	$lname =~ s/<([^>]|\n)*>//g;
    	$address =~ s/<([^>]|\n)*>//g;
    	$city =~ s/<([^>]|\n)*>//g;
    	$state =~ s/<([^>]|\n)*>//g;
    	$zip =~ s/<([^>]|\n)*>//g;
    	$phone =~ s/<([^>]|\n)*>//g;
    	$email =~ s/<([^>]|\n)*>//g;
    
    	#Display the form
    	print <<END_HTML;
    	<html>
    
    	<head>
    	  <title>Newsletter Registration Form</title>
    	</head>
    
    	<body>
    
    	  <script type="text/javascript">
    	  <!--
    
    	  function validate_form ( )
    	  {
    	    valid = true;
    	    
    	    // validate name fields
    	    if ( document.registration_form.fname.value == "" )
    	    {
    		alert ( "Please fill in the 'First Name' box." );
    		valid = false;
    	    }
    	    if ( document.registration_form.lname.value == "" )
    	    {
    		alert ( "Please fill in the 'Last Name' box." );
    		valid = false;
    	    }
    	    
    	    // validate address field
    	    if ( document.registration_form.address.value == "" )
    	    {
    		alert ( "Please fill in the 'Address' box." );
    		valid = false;
    	    }
    	    
    	    // validate city field
    	    if ( document.registration_form.city.value == "" )
    	    {
    		alert ( "Please fill in the 'City' box." );
    		valid = false;
    	    }
    	    
    	    // validate state field
    	    if ( document.registration_form.state.value == "" )
    	    {
    		alert ( "Please fill in the 'State' box." );
    		valid = false;
    	    }
    	    
    	    // validate zip field
    	    if ( document.registration_form.zip.value == "" )
    	    {
    		alert ( "Please fill in the 'Zip' box." );
    		valid = false;
    	    }
    	    else if ( isNaN( document.registration_form.zip.value ) )
    	    {
    		alert ( "Please enter a 5-digit zip code." );
    		valid = false;
    	    }
    	    
    	    // validate phone field
    	    if ( document.registration_form.phone.value == "" )
    	    {
    		alert ( "Please fill in the 'Phone' box." );
    		valid = false;
    	    }
    	    else if ( isNaN( document.registration_form.phone.value ) )
    	    {
    		alert ( "Please enter a 10-digit phone number." );
    		valid = false;
    	    }
    	    
    	    // validate email field
    	    var emailFilter=/^.+@.+\..{2,3}$/;
    	    if ( document.registration_form.email.value == "" )
    	    {
    		alert ( "Please fill in the 'Email' box." );
    		valid = false;
    	    }
    	     else if (!(emailFilter.test(document.registration_form.email.value))) {
    	       alert ("Please enter a valid email address.");
    	       valid = false;
    	    }
    
    	    if ( valid == true )
    	    {
    		alert ("Thank you for registering." );
    	    }
    
    	    return valid;
    	  }
    
    	  //-->
    	  </script>
    
    	  <h1>Newsletter Registration Form</h1>
    	  <p>$error_message</p>
    	  <FORM NAME="registration_form" ACTION="form_validation.cgi" METHOD="POST" onsubmit="return validate_form();">
    	  
    	  <table border="3" width="100%" bgcolor="#D5D5FF" bordercolor="blue" cellspacing="0">
    	    <tr>
    	      <td width="30%" align="right"><b>First Name:</b></td>
    	      <td width="70%"><INPUT TYPE="text" NAME="fname" VALUE="$fname" SIZE=40></td>
    	    </tr>
    	    <tr>
    	      <td width="30%" align="right"><b>Last Name:</b></td>
    	      <td width="70%"><INPUT TYPE="text" NAME="lname" VALUE="$lname" SIZE=40></td>
    	    </tr>
    	    <tr>
    	      <td width="30%" align="right"><b>Address:</b></td>
    	      <td width="70%"><INPUT TYPE="text" NAME="address" VALUE="$address" SIZE=40></td>
    	    </tr>
    	    <tr>
    	      <td width="30%" align="right"><b>City:</b></td>
    	      <td width="70%"><INPUT TYPE="text" NAME="city" VALUE="$city" SIZE=40></td>
    	    </tr>
    	    <tr>
    	      <td width="30%" align="right"><b>State:</b></td>
    	      <td width="70%"><INPUT TYPE="text" NAME="state" VALUE="$state" SIZE=2 MAXLENGTH="2"></td>
    	    </tr>
    	    <tr>
    	      <td width="30%" align="right"><b>Zip:</b></td>
    	      <td width="70%"><INPUT TYPE="text" NAME="zip" VALUE="$zip" SIZE=5 MAXLENGTH="5"></td>
    	    </tr>
    	    <tr>
    	      <td width="30%" align="right"><b>Phone:</b><br>Do not include () or -</td>
    	      <td width="70%"><INPUT TYPE="text" NAME="phone" VALUE="$phone" SIZE=10 MAXLENGTH=10></td>
    	    </tr>
    	    <tr>
    	      <td width="30%" align="right"><b>Email:</b></td>
    	      <td width="70%"><INPUT TYPE="text" NAME="email" VALUE="$email" SIZE=40></td>
    	    </tr>
    	  </table>
    	  <br>
    	  <hr size="2" color="blue">
    	  <center>
    	    <INPUT TYPE="submit" VALUE="Submit Data">
    	    <INPUT TYPE="reset" VALUE="Clear Data">
    	  </center>
    	  </FORM>
    	</body></html>
    
    END_HTML
    }
    
    sub validate_form
    {
    	my $fname = $query->param("fname");
    	my $lname = $query->param("lname");
    	my $address = $query->param("address");
    	my $city = $query->param("city");
    	my $state = $query->param("state");
    	my $zip = $query->param("zip");
    	my $phone = $query->param("phone");
    	my $email = $query->param("email");
    
    	my $error_message = "";
    
    	$error_message .= "Please enter your first name<br/>" if ( !$fname );
    	$error_message .= "Please enter your last name<br/>" if ( !$lname );
    	$error_message .= "Please enter your address<br/>" if ( !$address );
    	$error_message .= "Please enter your city<br/>" if ( !$city );
    	$error_message .= "Please enter your state<br/>" if ( !$state );
    	$error_message .= "Please enter your zip<br/>" if ( !$zip );
    	$error_message .= "Please enter your phone<br/>" if ( !$phone );
    	$error_message .= "Please enter your email<br/>" if ( !$email );
    
    	if ( $error_message )
    	{
    		# Errors with the form - redisplay it and return failure
    		display_form ( $error_message, $fname, $lname, $address, $city, $state, $zip, $phone, $email );
    		return 0;
    	}
    	else
    	{
    		# Form OK - return success
    		return 1;
    	}
    }
    
    #!/usr/bin/perl
    
    use warnings;
    use CGI;
    use CGI::Carp qw(fatalsToBrowser);
    use DBI;
    
    # Connection to CGI and Database
    $q = new CGI;
    $dbh = DBI->connect('dbi:mysql:database=db_register','','',{RaiseError=>1});
    
    # Output the HTTP header
    print $q->header ();
    
    # Process form if submitted; otherwise display it
    if ( $q->param("submit") )
    {
    	process_form();
    }
    else
    {
    	display_form();
    }
    
    sub process_form
    {
    	if ( validate_form () )
    	{
    		# Insert form elements into database
    		my $sql= $dbh->prepare('INSERT INTO contact(fname,lname,address,city,state,zip,phone,email) 
    		values("$fname","$lname","$address","$city","$state","$zip","$phone","$email")');
    
    		$sql->execute();
    
    		# Finish database connection
    		$dbh->disconnect if $dbh;
                             
    		# Display Thank You page
    		print <<END_HTML;
    		<html><head><title>Thank You</title></head>
    		<body>
    		Thank you for registering!
    		</body></html>
    		END_HTML
    	}
    }

  6. #6
    Join Date
    Oct 2007
    Location
    Vienna, Austria
    Posts
    391
    @dupank: No, you can call a sub that's defined afterwards, you just have to use the parentheses().

    I don't have the time to check it thoroughly. It looks nicely written in general. A few things come to mind nonetheless:

    • The shebang line
      Code:
      #!/usr/bin/perl
      must be the very first in the script to have any effect.
    • You sometimes use the my function to declare variables and sometimes not. Nothing wrong with that but I wonder why you use it at all then. I personally prefer to use strict whenever possible, so variable declaration is necessary then.
    • Your display_form function takes a lot of parameters, in which case I find it better to use named parameters via a hashref, or at least to check for the correct number of parameters as it tends to be easy to forget one. This could be written as:
      Code:
      sub display_form {
          my ($arg) = @_;
          my @req_args = qw(
              error_message
              fname lname
              address city state zip
              phone email
          );
          die "A single hashref expected in display_form" if ref $arg ne 'HASH';
          for (@req_args) { if (not $arg->{$_}) {
              die "required argument $_ not given to display_form"
          }}
          # params checked, let's take them
          my $fname = $arg->{fname};
          # and so on
      }
      Then you'd call the function like this:
      Code:
      display_form({
          fname => "john",
          lname => "doe",
          # etc...
      })

  7. #7
    Join Date
    Mar 2009
    Location
    Minnesota
    Posts
    8
    Thank you for your response.

    I've made some modifications. Successful input is supposed to be sent to the mysql database using the process_form subroutine. Do you see an issue there?

    FILE: register.cgi
    Code:
    #!/usr/bin/perl
    
    use warnings;
    use CGI;
    use CGI::Carp qw(fatalsToBrowser);
    use DBI;
    
    
    
    # Create CGI object and connect to Database
    $query = new CGI;
    $dbh = DBI->connect('dbi:mysql:database=db_register','','',{RaiseError=>1});
    
    
    
    # Output the HTTP header
    print $query->header ();
    
    
    
    # Process form if submitted; otherwise display it
    if ( $query->param("submit") )
    {
    	process_form();
    }
    else
    {
    	display_form();
    }
    
    
    
    # SUBROUTINES FOLLOW
    # Process the form, send to sql database
    sub process_form
    {
    	if ( validate_form () )
    	{
    		# Insert form elements into database
    		my $sql= $dbh->prepare('INSERT INTO contact(fname,lname,address,city,state,zip,phone,email) 
    		values("$fname","$lname","$address","$city","$state","$zip","$phone","$email")');
    
    		$sql->execute();
    
    		# Finish database connection
    		$dbh->disconnect if $dbh;
                             
    		# Display Thank You page
    		print <<END_HTML;
    		<html><head><title>Thank You</title></head>
    		<body>
    		Thank you for registering!
    		</body></html>
    		END_HTML
    	}
    }
    
    
    
    # Displays the HTML form and includes validation using javascript
    sub display_form
    {
    	my $error_message = shift;
    	my $fname = shift;
    	my $lname = shift;
    	my $address = shift;
    	my $city = shift;
    	my $state = shift;
    	my $zip = shift;
    	my $phone = shift;
    	my $email = shift;
    
    	# Remove and potentially malicious HTML tags
    	$fname =~ s/<([^>]|\n)*>//g;
    	$lname =~ s/<([^>]|\n)*>//g;
    	$address =~ s/<([^>]|\n)*>//g;
    	$city =~ s/<([^>]|\n)*>//g;
    	$state =~ s/<([^>]|\n)*>//g;
    	$zip =~ s/<([^>]|\n)*>//g;
    	$phone =~ s/<([^>]|\n)*>//g;
    	$email =~ s/<([^>]|\n)*>//g;
    
    	#Display the form
    	print <<END_HTML;
    	<html>
    
    	<head>
    	  <title>Newsletter Registration Form</title>
    	</head>
    
    	<body>
    
    	  <script type="text/javascript">
    	  <!--
    
    	  function validate_form ( )
    	  {
    	    valid = true;
    	    
    	    // validate name fields
    	    if ( document.registration_form.fname.value == "" )
    	    {
    		alert ( "Please fill in the 'First Name' box." );
    		valid = false;
    	    }
    	    if ( document.registration_form.lname.value == "" )
    	    {
    		alert ( "Please fill in the 'Last Name' box." );
    		valid = false;
    	    }
    	    
    	    // validate address field
    	    if ( document.registration_form.address.value == "" )
    	    {
    		alert ( "Please fill in the 'Address' box." );
    		valid = false;
    	    }
    	    
    	    // validate city field
    	    if ( document.registration_form.city.value == "" )
    	    {
    		alert ( "Please fill in the 'City' box." );
    		valid = false;
    	    }
    	    
    	    // validate state field
    	    if ( document.registration_form.state.value == "" )
    	    {
    		alert ( "Please fill in the 'State' box." );
    		valid = false;
    	    }
    	    
    	    // validate zip field
    	    if ( document.registration_form.zip.value == "" )
    	    {
    		alert ( "Please fill in the 'Zip' box." );
    		valid = false;
    	    }
    	    else if ( isNaN( document.registration_form.zip.value ) )
    	    {
    		alert ( "Please enter a 5-digit zip code." );
    		valid = false;
    	    }
    	    
    	    // validate phone field
    	    if ( document.registration_form.phone.value == "" )
    	    {
    		alert ( "Please fill in the 'Phone' box." );
    		valid = false;
    	    }
    	    else if ( isNaN( document.registration_form.phone.value ) )
    	    {
    		alert ( "Please enter a 10-digit phone number." );
    		valid = false;
    	    }
    	    
    	    // validate email field
    	    var emailFilter=/^.+@.+\..{2,3}$/;
    	    if ( document.registration_form.email.value == "" )
    	    {
    		alert ( "Please fill in the 'Email' box." );
    		valid = false;
    	    }
    	     else if (!(emailFilter.test(document.registration_form.email.value))) {
    	       alert ("Please enter a valid email address.");
    	       valid = false;
    	    }
    
    	    if ( valid == true )
    	    {
    		alert ("Thank you for registering." );
    	    }
    
    	    return valid;
    	  }
    
    	  //-->
    	  </script>
    
    	  <h1>Newsletter Registration Form</h1>
    	  <p>$error_message</p>
    	  <FORM NAME="registration_form" ACTION="form_validation.cgi" METHOD="POST" onsubmit="return validate_form();">
    	  
    	  <table border="3" width="100%" bgcolor="#D5D5FF" bordercolor="blue" cellspacing="0">
    	    <tr>
    	      <td width="30%" align="right"><b>First Name:</b></td>
    	      <td width="70%"><INPUT TYPE="text" NAME="fname" VALUE="$fname" SIZE=40></td>
    	    </tr>
    	    <tr>
    	      <td width="30%" align="right"><b>Last Name:</b></td>
    	      <td width="70%"><INPUT TYPE="text" NAME="lname" VALUE="$lname" SIZE=40></td>
    	    </tr>
    	    <tr>
    	      <td width="30%" align="right"><b>Address:</b></td>
    	      <td width="70%"><INPUT TYPE="text" NAME="address" VALUE="$address" SIZE=40></td>
    	    </tr>
    	    <tr>
    	      <td width="30%" align="right"><b>City:</b></td>
    	      <td width="70%"><INPUT TYPE="text" NAME="city" VALUE="$city" SIZE=40></td>
    	    </tr>
    	    <tr>
    	      <td width="30%" align="right"><b>State:</b></td>
    	      <td width="70%"><INPUT TYPE="text" NAME="state" VALUE="$state" SIZE=2 MAXLENGTH="2"></td>
    	    </tr>
    	    <tr>
    	      <td width="30%" align="right"><b>Zip:</b></td>
    	      <td width="70%"><INPUT TYPE="text" NAME="zip" VALUE="$zip" SIZE=5 MAXLENGTH="5"></td>
    	    </tr>
    	    <tr>
    	      <td width="30%" align="right"><b>Phone:</b><br>Do not include () or -</td>
    	      <td width="70%"><INPUT TYPE="text" NAME="phone" VALUE="$phone" SIZE=10 MAXLENGTH=10></td>
    	    </tr>
    	    <tr>
    	      <td width="30%" align="right"><b>Email:</b></td>
    	      <td width="70%"><INPUT TYPE="text" NAME="email" VALUE="$email" SIZE=40></td>
    	    </tr>
    	  </table>
    	  <br>
    	  <hr size="2" color="blue">
    	  <center>
    	    <INPUT TYPE="submit" NAME="submit" VALUE="Submit Data">
    	    <INPUT TYPE="reset" NAME="clear" VALUE="Clear Data">
    	  </center>
    	  </FORM>
    	</body></html>
    
    END_HTML
    }
    
    
    
    # Server-side validation in Perl
    sub validate_form
    {
    	my $fname = $query->param("fname");
    	my $lname = $query->param("lname");
    	my $address = $query->param("address");
    	my $city = $query->param("city");
    	my $state = $query->param("state");
    	my $zip = $query->param("zip");
    	my $phone = $query->param("phone");
    	my $email = $query->param("email");
    
    	my $error_message = "";
    
    	$error_message .= "Please enter your first name<br/>" if ( !$fname );
    	$error_message .= "Please enter your last name<br/>" if ( !$lname );
    	$error_message .= "Please enter your address<br/>" if ( !$address );
    	$error_message .= "Please enter your city<br/>" if ( !$city );
    	$error_message .= "Please enter your state<br/>" if ( !$state );
    	$error_message .= "Please enter your zip<br/>" if ( !$zip );
    	$error_message .= "Please enter your phone<br/>" if ( !$phone );
    	$error_message .= "Please enter your email<br/>" if ( !$email );
    
    	if ( $error_message )
    	{
    		# Errors with the form - redisplay it and return failure
    		display_form ( $error_message, $fname, $lname, $address, $city, $state, $zip, $phone, $email );
    		return 0;
    	}
    	else
    	{
    		# Form OK - return success
    		return 1;
    	}
    }
    FILE: db_register.sql
    Code:
    CREATE DATABASE db_register;
    
    USE db_register;
    
    CREATE TABLE contact (
      fname VARCHAR(20),
      lname VARCHAR(20),
      address VARCHAR(30),
      city VARCHAR(20),
      state VARCHAR(2),
      zip SMALLINT(5),
      phone VARCHAR(12),
      email VARCHAR(30) NOT NULL,
      PRIMARY KEY(email)
    );

  8. #8
    Join Date
    Oct 2007
    Location
    Vienna, Austria
    Posts
    391
    Yes, actually, I caught a problem by quickly looking at the code (there may be other things I didn't notice):
    Code:
    'INSERT INTO contact(fname,lname,address,city,state,zip,phone,email) 
    values("$fname","$lname","$address","$city","$state","$zip","$phone","$email")'
    This is a literal string. I guess you want the $variables interpolated. If you want to keep the "double quotes" around the variables' values, then you can use the qq quote operator:
    Code:
    qq{INSERT INTO contact(fname,lname,address,city,state,zip,phone,email) 
    values("$fname","$lname","$address","$city","$state","$zip","$phone","$email")}

  9. #9
    Join Date
    Mar 2009
    Location
    Minnesota
    Posts
    8
    Thanks for pointing that out. I did some quick reading about interpolating perl variables into SQL statements @ http://search.cpan.org/~markstos/SQL...Interpolate.pm and put together the following. Does this look good?

    Code:
    $dbh->do ( qq ( INSERT INTO contact ( fname, lname, address, city, state, zip, phone, email ) values( ?, ?, ?, ?, ?, ?, ?, ? ) ), $fname, $lname, $address, $city, $state, $zip, $phone, $email );
    The author had this sample bit of code:
    Code:
      $dbh->do(qq(
          INSERT INTO table (color, shape, width, height, length)
                      VALUES(?,     ?,     ?,     ?,      ?     )
      ), undef, $c, $s, $w, $h, $l);
    Or is just using the qq operator like you said actually going to insert the values behind the perl variables into my sql table?
    Last edited by dupank; 03-31-2009 at 04:20 AM.

  10. #10
    Join Date
    Oct 2007
    Location
    Vienna, Austria
    Posts
    391
    Should work but I'm not sure if the use of ?'s help anything here. They don't help readability as far as I'm concerned. But whatever gets your job done...

  11. #11
    Join Date
    Mar 2009
    Location
    Minnesota
    Posts
    8
    If I didn't use the ?s would I simply omit them?

    ie.
    Code:
    $dbh->do ( qq ( INSERT INTO contact ( fname, lname, address, city, state, zip, phone, email ) values( , , , , , , ,  ) ), $fname, $lname, $address, $city, $state, $zip, $phone, $email );
    I appreciate all your help.

  12. #12
    Join Date
    Oct 2007
    Location
    Vienna, Austria
    Posts
    391
    no :-) More like this:
    Code:
    $dbh->do ( qq { INSERT INTO contact
        (  fname,    lname,    address,    city,    state,   zip,   phone,    email ) values
        ('$fname', '$lname', '$address', '$city', '$state', $zip, '$phone', '$email') } );
    i.e. instead of the ?'s, substitute the values.

    But the strings need to be quoted and methinks DBI likes single quotes there but it only applies for character data, so the $zip variable has no quotes around it because you declared it as a SMALLINT. I'm just guessing here though. My experience with SQL is grossly small.

  13. #13
    Join Date
    Nov 2002
    Location
    England
    Posts
    693
    You want to stick with the '?' syntax otehrwise you run the risk of SQL injection.

  14. #14
    Join Date
    Oct 2007
    Location
    Vienna, Austria
    Posts
    391
    ++ Good point.

  15. #15
    Join Date
    Mar 2009
    Location
    Minnesota
    Posts
    8
    Thanks guys. Cheers.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
HTML5 Development Center



Recent Articles