Beefy Boxes and Bandwidth Generously Provided by pair Networks
XP is just a number
 
PerlMonks  

Re: Re: Re: Re: Re: Right answer (wrong question...)

by jarich (Curate)
on Feb 24, 2004 at 23:07 UTC ( [id://331545]=note: print w/replies, xml ) Need Help??


in reply to Re: Re: Re: Re: Right answer (wrong question...)
in thread Right answer (wrong question...)

Almost right.

You need to make just one or two changes.... 

    if ($entry_order eq '1') {
       
    }

    {
        my $insert =  "INSERT INTO `mysql_db` (`Title`,
                      `Email`, `City`, `State`, `Country`, 
                      `URL`, `Date`, `Description`, `rid`,
                      `dt_create`, `publish`, ) VALUES (";
    }

[download]
needs to become: 
    my $insert;
    if ($entry_order eq '1') {  
    }


    $insert = "INSERT INTO `mysql_db` (`Title`,
              `Email`, `City`, `State`, `Country`, 
              `URL`, `Date`, `Description`, `rid`,
              `dt_create`, `publish`, ) VALUES (";

[download]
and you need to move the insertion into the database up into the loop too. 
     if ($entry_order eq '0') {
         $insert .= "<!--begin-->\n";  # This will cause an error
     }
  }
  else {
     $insert .= $_;
  }
}
$sth=$dbh->prepare($insert);
$sth->execute();
$dbh->disconnect();

[download]
Becomes: 
      # Removed code which would cause an error
  }
  else {
     $insert .= $_;
  }
  $sth=$dbh->prepare($insert);
  $sth->execute();
}
$dbh->disconnect();

[download]
You'll also need to make some beauty changes... this: 
if ( $FORM{'Description'} ){
        $insert .= "$FORM{'Description'}, '', NOW(), 0) \n\n";
}

[download]
should become this: 
if ( $FORM{'Description'} ){
        $insert .= "$FORM{'Description'}, '', NOW(), 0)";
}

[download]
etc. I'll leave any other of these up to you. What I've done, is remove the two newlines which were there so that the sql would be easy to read in the file. I believe that mysql would accept the newlines without a problem, but they're probably best removed.
Now while this will PROBABLY solve most of your problems this will NOT make your code in the remotest bit secure. Nothing in this code appears to be able to stop me from adding something like the below into the description field. 
', '', NOW(), 0); drop table mysql_db; '

[download]
(quotes included). As far as I understand your code this should result in no errors, but should quietly drop your mysql_db table and lose all its records.

This is why we've been recommending placeholders.

You can rewrite this code to use place holders in a few ways. You can use the compact version that I suggested in my previous answer (which should work and would look a tonne nicer) or you could work them into this ugly assignment tree. Of course you could just hope that noone's going to be malicious and try to delete your data too.... but I don't recommend it.

At the very least you should replace all occurances that look like: 

$insert .= "$FORM{'URL'}";

[download]
to look like: 
$insert .= $dbh->quote($FORM{'URL'});

[download]
and don't forget to quote $FORM{Description} too.

Good luck with all of this. I hope you've learned something. I'm sure that with a little bit more work you could have written your own guestbook script to use the database and do almost everything else you wanted. In fact, I recommend that you give that a go sometime, because it'll probably be a great learning experience.

If my suggestions here still don't solve all of your problems then stop and think hard about what the code is actually doing, before you post again. And if you still don't understand what it's doing then AT THE VERY LEAST don't just say "it gives me errors" tell us WHAT errors it gives you. If the errors are on line 8 then tell us what line is line 8. Tell us what you've tried. Tell us what you think is happening.

Give us some reason to believe that you're actually investing your own time into this problem rather than just insisting that we invest our own.

Hope this helps,

jarich

Replies are listed 'Best First'.
Re: Re: Re: Re: Re: Re: Right answer (wrong question...)
by bobafifi (Beadle) on Feb 25, 2004 at 02:09 UTC
    Hi Jarich,

    Like this?? 

    # MySQL



      my $insert;
    if ($entry_order eq '1') {  
    }


    $insert = "INSERT INTO `mysql_db` (`Title`,
              `Email`, `City`, `State`, `Country`, 
              `URL`, `Date`, `Description`, `rid`,
              `dt_create`, `publish`, ) VALUES (";
}

      if ($line_breaks == 1) {
         $FORM{'Title'} =~ s/\cM\n/\n/g;
      }

      $insert .= "$FORM{'Title'}";

$insert .= ", ";

      if ( $FORM{'Email'} ){
    my $email_name = $dbh->quote($FORM{'Email'});

#         if ($linkmail eq '1') {
            $insert .= $email_name;

#         }
#         else {
#            $insert .= "$FORM{'Email'}";
#         }

         $insert .= ", ";
      }

      if ( $FORM{'City'} ){
         $insert .= "$FORM{'City'}";
      }
     {
         $insert .= ", ";
      }
      if ( $FORM{'State'} ){
         $insert .= "$FORM{'State'}";
      }
{
         $insert .= ", ";
      }
      if ( $FORM{'Country'} ){
         $insert .= "$FORM{'Country'}";
      }
{
         $insert .= ", ";
      }

if ($FORM{'URL'}) {
         $insert .= "$FORM{'URL'}";
      }
      else {
         $insert .= "$FORM{'URL'}";
      }
{
         $insert .= ", ";
      }

if ($separator eq '1') {
         $insert .= "'$date'";
      }
      else {
         $insert .= "'$date'";
      }
{
         $insert .= ", ";
      }
      
if ( $FORM{'Description'} ){
        $insert .= "$FORM{'Description'}, '', NOW(), 0)";
}

  else {
     $insert .= $_;
  }
  $sth=$dbh->prepare($insert);
  $sth->execute();
}
$dbh->disconnect();

    [download]
    Thanks,

    -Bob

    bobafifi.com
[reply]
[d/l]

      What kind of errors? Please read How (Not) To Ask A Question. It will help us be able to help you better.

      Also is there any reason you are tied to this script? Others have suggested it and I will reiterate, have you looked at nms? I hate to say this to you but I am not going to spend much more time trying to help you with this script as I feel it is bad and insecure code. If you decide to use nms or write your own I would be more than welcome to help you but, you first need to read How (Not) To Ask A Question and do what it suggests. You started out with too little information and you didn't include any errors... not a good thing to do. Do some reading and then come back enlightened.

[reply]
        Hi MCS,

        The "500 Internal Server Error" message I get is: 
        Internal Server Error
The server encountered an internal error or misconfiguration and was u
+nable to complete your request.

Please contact the server administrator, webmaster@usedflutes.com and 
+inform them of the time the error occurred, and anything you might ha
+ve done that may have caused the error.

More information about this error may be available in the server error
+ log.

        [download]


        I have tried to articulate the problem as best as I can in modifying Matt Wright's well known (and replicable...) "Guestbook" script.

        That CountZero's code "works" (i.e., the script runs fine and posts an INSERT string to MySQL) while other attempts to modify the script since have not is all I know, sorry.

        Thanks anyway.

        -Bob

        bobafifi.com
[reply]
[d/l]

In Section Seekers of Perl Wisdom

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?

www.com | www.net | www.org
Node Status?
node history
Node Type: note [id://331545]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others chilling in the Monastery: (3)
As of 2024-04-25 09:41 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found