problem passing html form values into perl

[smokin.phantom]

hi i have this code.... i am trying to pass my html form values in perl and then to mysql......my problem is that as soon as i submit the form, i get an error
Error message:
malformed header from script. Bad header=CSV, DBM, ExampleP, File, Gofe: insert_data.pl

this is my code for perl.....it passes blank values to mysql table successfully.. so the problem is with the values passing from html to perl. please help me with this......


#!/usr/bin/perl

use DBI;
use CGI;
my @drivers = DBI->available_drivers;

print join(", ",@drivers),"\n";

my $driver = "mysql";
my $database = "database";
my $username = "root";
my $password = "root";
my $host = "localhost";
my $port = 3306;

read(STDIN, $buffer, $ENV{'CONTENT_LENGTH'});
#read the values from envourment variable .store in buffer.
@pairs = split(/&/, $buffer);
#split that buffer value
foreach $pair (@pairs) {
($name, $value) = split(/=/, $pair);
#separate name and values from the pair.
$value =~ tr/+/ /;
#remove all the + from value..
$value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;
$value =~ s/<!--(.|n)*-->//g;
$value =~ s/<([^>]|n)*>//g;
$FORM{$name} = $value;
#assain all the value to name..
}

my $q=new CGI;

my $fname=$q->param('fname');
#get the parameter from your html form.
my $lname=$q->param('lname');
my $mname=$q->param('mname');

#print $q->header;

$dbh = DBI->connect("DBI:$driver:database=$database;host=$host;port=$port",
$username,$password) or die "Connection error";

$sql="INSERT INTO inventory(fname,mname,lname) values('$fname','$mname','$lname')";
$sth = $dbh->prepare($sql)
or die "Can't prepare $sql: $dbh->errstrn";
#pass sql query to database handle..

$rv = $sth->execute
or die "can't execute the query: $sth->errstrn";

[*Tom*]

You're printing join(", ",@drivers),"\n"; before sending any (valid) headers to the browser, which is why it's interpreting it as a malformed header. You have the print $q->header; line further down, but it's commented out anyway

Also, not sure why you're doing this:

Code:

read(STDIN, $buffer, $ENV{'CONTENT_LENGTH'});
#read the values from envourment variable .store in buffer.
@pairs = split(/&/, $buffer);
#split that buffer value
foreach $pair (@pairs) {
($name, $value) = split(/=/, $pair);
#separate name and values from the pair.
$value =~ tr/+/ /;
#remove all the + from value..
$value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;
$value =~ s/<!--(.|n)*-->//g;
$value =~ s/<([^>]|n)*>//g;
$FORM{$name} = $value;
#assain all the value to name..
}

When you're already using the CGI module to get the form parameters.

And something you might want to avoid:

Code:

$sql="INSERT INTO inventory(fname,mname,lname) values('$fname','$mname','$lname')";
$sth = $dbh->prepare($sql)

Interpolating variables directly into the SQL statement makes the code easily breakable if someone enters a quote character into the form (for example) and also leaves you vulnerable to SQL injection.

If you put placeholders in the prepare statement, when you execute it with the actual data it should take care of all that for you.

Code:

$sth = $dbh->prepare("INSERT INTO inventory(fname, mname, lname) values(?, ?, ?)"); 
$sth->execute($fname, $mname, $lname);