0

I am able to fetch a data from db not able to display in browser. below is the code-

my $q = CGI->new;
print $q->header,$q->start_html('testing');
my $title = $q->param('title');
my $perl = "";

#these is displayed properly
print "<font color=blue><b>TITLE:\"$title\"</b><br>";
print "<font color=blue><b>SCRIPT:\"$title\"</b>\n";

my $dbh = DBI->connect("DBI:ODBC:test","username","password") || die "Connection error: $DBI::errstr\n";
my $sql = "select * from tablename where title = '$title'";
my $sth = $dbh->prepare($sql);
$sth->execute;
my @row = $sth->fetchrow_array;
for(my $i=1;$i<=@row;$i++)
{
    if($i == 5)
    {
    $perl = "$row[$i]";
    }
}

#below is not displayed in browser
print $q->strong($title);
print $q->strong($perl);

$sth->finish();
$dbh->disconnect;

print $q->end_html;

I just want to print the value of $title and $perl in browser. this program is running properly but cant able to display value of $title and $perl

vivek
  • 81
  • 5
  • @mpapec — The manually generated font elements are working though, so that must have been done already. – Quentin Feb 11 '14 at 07:15
  • I don't understand how `print "TITLE:\"$title\"
    ";` works but `print $q->strong($title);` doesn't, since they use the same variables.     – Quentin Feb 11 '14 at 07:16
  • This code is horribly vulnerable to SQL Injection and XSS attacks though. – Quentin Feb 11 '14 at 07:16
  • @mpapec i am to get the value through cmd while running cgi file – vivek Feb 11 '14 at 07:23
  • This code is incomplete, as you have not shown how you print your HTML header, or create your CGI object. – TLP Feb 11 '14 at 07:37
  • 1
    Try printing the rows manually, to see if the query worked properly: `use Data::Dumper; print Dumper \@row;` – TLP Feb 11 '14 at 07:42
  • Also, check the web server error log to see if you got an error message. If the execution seemed to stop at that point, it may be that the connection failed and the script died. – TLP Feb 11 '14 at 08:19

2 Answers2

2

The reason for the failure is not obvious to me, but you should use placeholders when performing queries:

my $sql = "select * from tablename where title = ?";  # placeholder
my $sth = $dbh->prepare($sql);
$sth->execute($sql);                                  # $sql is used here

The placeholder is a question mark ?. This will ensure that your values are quoted properly, and prevent injection attacks. Using the data from the CGI object without sanitizing it is very dangerous.

Also, it seems that you are only taking one value from the array, so there is little need to use a loop in the first place. You could just do:

my $row = $row[5];

To see if the value was in the database, you can use if (defined $row), or if (@row >= 6). (Note that arrays start at 0, so the element with index 5 is actually the 6th element. Just pointing this out since you started your loop at 1.)

TLP
  • 66,756
  • 10
  • 92
  • 149
0

Try running it straight from the command line, without the browser.

See here and here.

You can also use the Perl debugger, if you start it with:

perl -d yourprogram
Community
  • 1
  • 1
Mark Setchell
  • 191,897
  • 31
  • 273
  • 432