Here is a script I made to do database inserts. Should I limit the amount of data that can be posted to prevent buffer overflows? I guess that there shouldn't be anymore than 30,000 characters in the text area so I was figuring using $CGI::POST_MAX = 30000. I did this assuming that 30,000 ASCII characters assuming that 1 ASCII character is 1 byte.
Also I think my query is immune from SQL injection attacks. Is it?
#!/usr/bin/perl -wT
use DBI;
use strict;
use CGI;
$CGI::POST_MAX = 30000;
use POSIX 'strftime';
my $q = CGI->new();
my $id = $q->param ('id');
my $other_comments = $q->param ('other_comments');
my $date = strftime( "%m/%d/%Y",localtime(time) );
##Start database connections##########################
my $database = "database";
my $db_server = "localhost";
my $user = "user";
my $password = "password";
##Connect to database, insert statement, & disconnect##
my $dbh = DBI->connect("DBI:mysql:$database:$db_server", $user, $passw
+ord);
my $statement = "INSERT INTO database (id1, comnt, date1) VALUES (?,?,
+?)";
my $sth;
$sth = $dbh->prepare($statement) or die "Couldn't prepare the query: $
+sth->errstr";
my $rv = $sth->execute($id,$other_comments,$date) or die "Couldn't exe
+cute query: $dbh->errstr";
my $rc = $sth->finish;
$rc = $dbh->disconnect;
#######################################################
print "Content-type: text/html\n\n";
print $date;