Stories
Slash Boxes
Comments
NOTE: use Perl; is on undef hiatus. You can read content, but you can't post it. More info will be forthcoming forthcomingly.

All the Perl that's Practical to Extract and Report

use Perl Log In

Log In

[ Create a new account ]

Ranguard (1858)

Ranguard
  (email not shown publicly)
http://leo.cuckoo.org/

Journal of Ranguard (1858)

Thursday September 26, 2002
08:56 AM

CGI / DB / TT quick example

[ #8029 ]
Over the last few months several people have asked me how to create a cgi script that uses a database and then prints out the results.

Often they're just looking for an example rather than a full blown explination. So here one is http://leo.cuckoo.org/projects/cgi_db_tt_example/

Still need to write up YAPC::E! Patches / comments welcome, though it's not mean't to be perfect, it's just mean't to get people going.

The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
 Full
 Abbreviated
 Hidden
More | Login | Reply
Loading... please wait.
  • Leo, There are numerous issues with this code
    1. You're not using taint
    2. You're placing stuff directly into a SQL statement from a parameter without quoting it first. This is essentially letting anyone execute arbitary SQL code on your server. Use taint.
    3. You've called the name of the variable you're outputting the template to $file, even though it's just a scalar. Why are you using this anyway...just print it to STDOUT by not having a third argument
    4. Your whitespace doesn't format the code very well.
    5. Y
    • Bad Leo, naught leo, no pie!!!!

      Some updates made, will look at rest soon, my brain has just decided to start thumping and turned to a pile of goo at the same time :(

      others

      1. Could use DBI plugin but didn't want to as I don't agree with it in the Template unless it's a quick hack.
      2. Guess so, but I'll leave it for now as I consider it just for debuging, though I guess a dodgy bit of user data could do something odd later.
      • 2. Guess so, but I'll leave it for now as I consider it just for debuging, though I guess a dodgy bit of user data could do something odd later.
        Yeah, you're leaving yourself open somewhat to a cross site scripting attack. Best to use an error template (if you're going to print out anything to the browser) and do a [% error.info | html %]
  • You aren't being sufficiently lazy! :)
    • bind variables, let DBI quote them for you
    • RaiseError to trap DBI errors
    • replace sql_to_array_of_hashes with $dbh->selectall_arrayref($sql, { Slice => {} }, @data)