I was given a project to create a simple HTML registration form in which the data is validated using Javascript. It is then validated on the server side using Perl before being sent to a mySQL database. This is my first time using Perl so I would appreciate some expert feedback. Have I gotten this right? Any productive feedback will be greatly appreciated. Thanks.






(Here is my SQL database named db_register.sql)





CREATE DATABASE db_register;

USE db_register;

CREATE TABLE contact (
fname VARCHAR(20),
lname VARCHAR(20),
address VARCHAR(30),
city VARCHAR(20),
state VARCHAR(2),
zip SMALLINT(5),
phone VARCHAR(12),
email VARCHAR(30) NOT NULL,
PRIMARY KEY(email)
);







(Here is my code named register.cgi)





sub display_form
{
my $error_message = shift;
my $fname = shift;
my $lname = shift;
my $address = shift;
my $city = shift;
my $state = shift;
my $zip = shift;
my $phone = shift;
my $email = shift;

# Remove and potentially malicious HTML tags
$fname =~ s/<([^>]|\n)*>//g;
$lname =~ s/<([^>]|\n)*>//g;
$address =~ s/<([^>]|\n)*>//g;
$city =~ s/<([^>]|\n)*>//g;
$state =~ s/<([^>]|\n)*>//g;
$zip =~ s/<([^>]|\n)*>//g;
$phone =~ s/<([^>]|\n)*>//g;
$email =~ s/<([^>]|\n)*>//g;

#Display the form
print <<END_HTML;
<html>

<head>
<title>Newsletter Registration Form</title>
</head>

<body>

<script type="text/javascript">
<!--

function validate_form ( )
{
valid = true;

// validate name fields
if ( document.registration_form.fname.value == "" )
{
alert ( "Please fill in the 'First Name' box." );
valid = false;
}
if ( document.registration_form.lname.value == "" )
{
alert ( "Please fill in the 'Last Name' box." );
valid = false;
}

// validate address field
if ( document.registration_form.address.value == "" )
{
alert ( "Please fill in the 'Address' box." );
valid = false;
}

// validate city field
if ( document.registration_form.city.value == "" )
{
alert ( "Please fill in the 'City' box." );
valid = false;
}

// validate state field
if ( document.registration_form.state.value == "" )
{
alert ( "Please fill in the 'State' box." );
valid = false;
}

// validate zip field
if ( document.registration_form.zip.value == "" )
{
alert ( "Please fill in the 'Zip' box." );
valid = false;
}
else if ( isNaN( document.registration_form.zip.value ) )
{
alert ( "Please enter a 5-digit zip code." );
valid = false;
}

// validate phone field
if ( document.registration_form.phone.value == "" )
{
alert ( "Please fill in the 'Phone' box." );
valid = false;
}
else if ( isNaN( document.registration_form.phone.value ) )
{
alert ( "Please enter a 10-digit phone number." );
valid = false;
}

// validate email field
var emailFilter=/^.+@.+\..{2,3}$/;
if ( document.registration_form.email.value == "" )
{
alert ( "Please fill in the 'Email' box." );
valid = false;
}
else if (!(emailFilter.test(document.registration_form.email.value))) {
alert ("Please enter a valid email address.");
valid = false;
}

if ( valid == true )
{
alert ("Thank you for registering." );
}

return valid;
}

//-->
</script>

<h1>Newsletter Registration Form</h1>
<p>$error_message</p>
<FORM NAME="registration_form" ACTION="form_validation.cgi" METHOD="POST" onsubmit="return validate_form();">

<table border="3" width="100%" bgcolor="#D5D5FF" bordercolor="blue" cellspacing="0">
<tr>
<td width="30%" align="right"><b>First Name:</b></td>
<td width="70%"><INPUT TYPE="text" NAME="fname" VALUE="$fname" SIZE=40></td>
</tr>
<tr>
<td width="30%" align="right"><b>Last Name:</b></td>
<td width="70%"><INPUT TYPE="text" NAME="lname" VALUE="$lname" SIZE=40></td>
</tr>
<tr>
<td width="30%" align="right"><b>Address:</b></td>
<td width="70%"><INPUT TYPE="text" NAME="address" VALUE="$address" SIZE=40></td>
</tr>
<tr>
<td width="30%" align="right"><b>City:</b></td>
<td width="70%"><INPUT TYPE="text" NAME="city" VALUE="$city" SIZE=40></td>
</tr>
<tr>
<td width="30%" align="right"><b>State:</b></td>
<td width="70%"><INPUT TYPE="text" NAME="state" VALUE="$state" SIZE=2 MAXLENGTH="2"></td>
</tr>
<tr>
<td width="30%" align="right"><b>Zip:</b></td>
<td width="70%"><INPUT TYPE="text" NAME="zip" VALUE="$zip" SIZE=5 MAXLENGTH="5"></td>
</tr>
<tr>
<td width="30%" align="right"><b>Phone:</b><br>Do not include () or -</td>
<td width="70%"><INPUT TYPE="text" NAME="phone" VALUE="$phone" SIZE=10 MAXLENGTH=10></td>
</tr>
<tr>
<td width="30%" align="right"><b>Email:</b></td>
<td width="70%"><INPUT TYPE="text" NAME="email" VALUE="$email" SIZE=40></td>
</tr>
</table>
<br>
<hr size="2" color="blue">
<center>
<INPUT TYPE="submit" VALUE="Submit Data">
<INPUT TYPE="reset" VALUE="Clear Data">
</center>
</FORM>
</body></html>

END_HTML
}

sub validate_form
{
my $fname = $query->param("fname");
my $lname = $query->param("lname");
my $address = $query->param("address");
my $city = $query->param("city");
my $state = $query->param("state");
my $zip = $query->param("zip");
my $phone = $query->param("phone");
my $email = $query->param("email");

my $error_message = "";

$error_message .= "Please enter your first name<br/>" if ( !$fname );
$error_message .= "Please enter your last name<br/>" if ( !$lname );
$error_message .= "Please enter your address<br/>" if ( !$address );
$error_message .= "Please enter your city<br/>" if ( !$city );
$error_message .= "Please enter your state<br/>" if ( !$state );
$error_message .= "Please enter your zip<br/>" if ( !$zip );
$error_message .= "Please enter your phone<br/>" if ( !$phone );
$error_message .= "Please enter your email<br/>" if ( !$email );

if ( $error_message )
{
# Errors with the form - redisplay it and return failure
display_form ( $error_message, $fname, $lname, $address, $city, $state, $zip, $phone, $email );
return 0;
}
else
{
# Form OK - return success
return 1;
}
}

#!/usr/bin/perl

use warnings;
use CGI;
use CGI::Carp qw(fatalsToBrowser);
use DBI;

# Connection to CGI and Database
$q = new CGI;
$dbh = DBI->connect('dbi:mysql:database=db_register','','',{RaiseError=>1});

# Output the HTTP header
print $q->header ();

# Process form if submitted; otherwise display it
if ( $q->param("submit") )
{
process_form();
}
else
{
display_form();
}

sub process_form
{
if ( validate_form () )
{
# Insert form elements into database
my $sql= $dbh->prepare('INSERT INTO contact(fname,lname,address,city,state,zip,phone,email)
values("$fname","$lname","$address","$city","$state","$zip","$phone","$email")');

$sql->execute();

# Finish database connection
$dbh->disconnect if $dbh;

# Display Thank You page
print <<END_HTML;
<html><head><title>Thank You</title></head>
<body>
Thank you for registering!
</body></html>
END_HTML
}
}