www.webdeveloper.com
Results 1 to 2 of 2

Thread: problem passing html form values into perl

  1. #1
    Join Date
    Nov 2010
    Posts
    3

    Exclamation problem passing html form values into perl

    hi i have this code.... i am trying to pass my html form values in perl and then to mysql......my problem is that as soon as i submit the form, i get an error
    Error message:
    malformed header from script. Bad header=CSV, DBM, ExampleP, File, Gofe: insert_data.pl


    this is my code for perl.....it passes blank values to mysql table successfully.. so the problem is with the values passing from html to perl. please help me with this......


    #!/usr/bin/perl

    use DBI;
    use CGI;
    my @drivers = DBI->available_drivers;

    print join(", ",@drivers),"\n";

    my $driver = "mysql";
    my $database = "database";
    my $username = "root";
    my $password = "root";
    my $host = "localhost";
    my $port = 3306;

    read(STDIN, $buffer, $ENV{'CONTENT_LENGTH'});
    #read the values from envourment variable .store in buffer.
    @pairs = split(/&/, $buffer);
    #split that buffer value
    foreach $pair (@pairs) {
    ($name, $value) = split(/=/, $pair);
    #separate name and values from the pair.
    $value =~ tr/+/ /;
    #remove all the + from value..
    $value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;
    $value =~ s/<!--(.|n)*-->//g;
    $value =~ s/<([^>]|n)*>//g;
    $FORM{$name} = $value;
    #assain all the value to name..
    }

    my $q=new CGI;

    my $fname=$q->param('fname');
    #get the parameter from your html form.
    my $lname=$q->param('lname');
    my $mname=$q->param('mname');

    #print $q->header;

    $dbh = DBI->connect("DBI:$driver:database=$database;host=$host;port=$port",
    $username,$password) or die "Connection error";

    $sql="INSERT INTO inventory(fname,mname,lname) values('$fname','$mname','$lname')";
    $sth = $dbh->prepare($sql)
    or die "Can't prepare $sql: $dbh->errstrn";
    #pass sql query to database handle..

    $rv = $sth->execute
    or die "can't execute the query: $sth->errstrn";

  2. #2
    Join Date
    Sep 2006
    Location
    England
    Posts
    29
    You're printing join(", ",@drivers),"\n"; before sending any (valid) headers to the browser, which is why it's interpreting it as a malformed header. You have the print $q->header; line further down, but it's commented out anyway

    Also, not sure why you're doing this:
    Code:
    read(STDIN, $buffer, $ENV{'CONTENT_LENGTH'});
    #read the values from envourment variable .store in buffer.
    @pairs = split(/&/, $buffer);
    #split that buffer value
    foreach $pair (@pairs) {
    ($name, $value) = split(/=/, $pair);
    #separate name and values from the pair.
    $value =~ tr/+/ /;
    #remove all the + from value..
    $value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;
    $value =~ s/<!--(.|n)*-->//g;
    $value =~ s/<([^>]|n)*>//g;
    $FORM{$name} = $value;
    #assain all the value to name..
    }
    When you're already using the CGI module to get the form parameters.

    And something you might want to avoid:

    Code:
    $sql="INSERT INTO inventory(fname,mname,lname) values('$fname','$mname','$lname')";
    $sth = $dbh->prepare($sql)
    Interpolating variables directly into the SQL statement makes the code easily breakable if someone enters a quote character into the form (for example) and also leaves you vulnerable to SQL injection.

    If you put placeholders in the prepare statement, when you execute it with the actual data it should take care of all that for you.

    Code:
    $sth = $dbh->prepare("INSERT INTO inventory(fname, mname, lname) values(?, ?, ?)"); 
    $sth->execute($fname, $mname, $lname);

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
HTML5 Development Center



Recent Articles