Beefy Boxes and Bandwidth Generously Provided by pair Networks
Do you know where your variables are?
 
PerlMonks  

Getting a query string.

by Eagle_f91 (Acolyte)
on Oct 27, 2009 at 17:52 UTC ( #803486=perlquestion: print w/ replies, xml ) Need Help??
Eagle_f91 has asked for the wisdom of the Perl Monks concerning the following question:

Update: Perl for ISAPI handels the header for me so I don't have to print it my self, I have other scripts written with out the print contect line using ISAPI working fine for displaying there data, and this script does print the line just not the query string.

I know what your thinking, getting a query string is easy. That is what I though, but it just is not working. Can someone look over this code and tell me what is wrong and why the query string is not being pulled?
#!C:\Perl\bin\PerlEx30.dll -w use strict; use DBI; use CGI q~:standard~; use CGI::Carp qw(fatalsToBrowser); my ($DBH, $STH, $QueryString, @SQLResults, @Listing, $i, $MaxArray, $S +QLString); $i = 0; $QueryString = $ENV{'QUERY_STRING'}; print "$QueryString"; $DBH = DBI -> connect ('dbi:ODBC:SQLServer', '', '') or die "$DBI::err +str"; $STH = $DBH -> prepare (qq~select Name, Path from dbo.NavigationCatego +ries where Category = '$QueryString'~) or die "$DBI::errstr"; $STH -> execute or die "$DBI::errstr"; while (@SQLResults = $STH -> fetchrow_array) { $Listing[$i] = qq~<a href="http://www.ffinfo.com/$SQLResults[1]">$ +SQLResults[0]</a>~; $i++; } if ($i > 0) { $MaxArray = $i -1; $i = 0; while ($i < $MaxArray) { $Listing[$i] .= '<br />'; $i++; } print "@Listing"; } else { print "<!---->"; } $DBH -> disconnect;
When i go to http://www.ffinfo.com/cgi-bin/navigation.plx?Quotes it does not print the query string.

Comment on Getting a query string.
Download Code
Re: Getting a query string.
by almut (Canon) on Oct 27, 2009 at 18:26 UTC

    A CGI script needs to output at least a Content-Type header, followed by an empty line (which indicates the end of the headers section), before the actual content begins... As you've already loaded the CGI module, this is most easily done with print header; anywhere before your print $QueryString;.

    BTW, I hope only trusted users are having access to that URI... Otherwise, directly interpolating the QUERY_STRING into an SQL query without any further checks is a very bad idea, security-wise... (better use placeholders)

      Perl ISAPI takes car of the content-type header for me. See the perl FAQ http://docs.activestate.com/activeperl/5.10/faq/Windows/ActivePerl-Winfaq7.html#My_CGI_scripts_don_t_seem_to_run As for you concern on the SQL query, no end user will have direct call access to this script, it will be called via SSI once fully working.
Re: Getting a query string.
by marto (Chancellor) on Oct 27, 2009 at 18:29 UTC

    Hmm, I'd actually suggest re reading the CGI documentation.

    You don't print a HTTP header:

    print header;

    Here you do it "by hand", even though you are using CGI

    You are trusting user input, $QueryString could contain something nasty. See Placeholders and Bind Values from the DBI documentation.

    In addition to reading CGI and DBI I'd also suggest reading Ovid's CGI Course, as well as taking a look at some of the other topics in the CGI Programming section of tutorials.

    Martin

      The perl ISAPI module prints the header fine for me, otherwise you would get an IIS error with an invalid heard error. All the scripts that I run like that one never use print header and they work. Example:
      #!C:\Perl\bin\PerlEx30.dll -w use strict; use DBI; my ($DBH, $STH, @Release); $DBH = DBI -> connect ('dbi:ODBC:SQLServer', '', '') or die "$DBI::err +str"; $STH = $DBH -> prepare (qq~select GameName, Console, ReleaseLocation, +LongDate from dbo.UpcomingReleases order by ReleaseDate asc~) or die +"$DBI::errstr"; $STH -> execute or die "$DBI::errstr"; while (@Release = $STH -> fetchrow_array) { print qq~<p>$Release[0] <br />Media: $Release[1] <br />Date: $Release[3] <br />Location: $Release[2]</p>~; } $DBH -> disconnect;
      Also if you go to the URL provided and look at the source code you will see it properly prints the line but never prints the query string. As for me trusting user input, I am not. This script will only be called via SSI inside html pages, I am only directly calling it to test it. As for printing the header "by hand" in that other script you link that one displayed a full page, this scipt gets data and displays it inline in an SHTML file.
Re: Getting a query string.
by gmargo (Hermit) on Oct 27, 2009 at 18:39 UTC

    As the others have said, the header is missing.

    Here's a variant of a cgi script I use to dump out interesting things, like the environment that the web server is providing.

    #!/usr/bin/perl -w use strict; use warnings; use CGI qw(-debug escapeHTML -oldstyle_urls); my $q = CGI->new(); print $q->header('text/html'); print "<html>\n"; print "<body>\n"; print "<p>Hello, World</p>\n"; print "<p>\n"; print "Environment variables:\n"; print "<br/>\n"; foreach (sort keys %ENV) { print escapeHTML($_)." => ".escapeHTML($ENV{$_})."\n"; print "<br/>\n"; } print "</p>\n"; print "</body>\n"; print "</html>\n";
      Please see my response to the others.
Re: Getting a query string.
by Anonymous Monk on Oct 27, 2009 at 21:50 UTC
    This is really ugly perl 4 code. Learn how we do things post 1993. Why not learn how to debug? DBI without placeholders on the web? Crap code like this gives perl a bad name
      Why don't you learn to be constructive and not just bash the crap out of people's code. It is not peeople like me coding like this that gives perl a bad name it is jerks like you that give both perl and perlmonks.org a bad name.
Re: Getting a query string.
by Your Mother (Canon) on Oct 27, 2009 at 22:15 UTC

    Wait? You have this up live? If the server side user running the CGI has more than select permissions on the DB, any malicious web visitor could trash it. If that data has any importance to you (i.e., it's not a test) you should remove the CGI *immediately*. Please read up on the links for SQL injection attacks and placeholders already given by other monks.

    (Update: calling it as an SSI is no protection. If it's callable from a web address by a user it doesn't matter if there is a level of indirection.)

      Yes this is live, the user running it only has access to the temp data in that table via select. The data this script pulls is only temp data till I figure out why I can't pull the query string ,which I guess I have to do on my own since people here just seem to want to do nothing but bash my code instead of suggesting ways to fix my problem. Calling this via SSI is a protection, the user can't easly find the URL and the permssions on the site are set so once the script works it can not be called direcly from the browser but must be called within code.
        Calling this via SSI is a protection, the user can't easly find the URL and the permssions on the site are set so once the script works it can not be called direcly from the browser but must be called within code.

        That is the definition of unprotected.

Re: Getting a query string.
by Anonymous Monk on Oct 28, 2009 at 03:31 UTC
    ActiveState reccomends you use the CGI OO interface, have you tried  my $q = CGI->new; print $q->query_string? Have you looked in the server logs (or event viewer)?

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: perlquestion [id://803486]
Approved by marto
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others studying the Monastery: (6)
As of 2014-09-16 03:20 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    My favorite cookbook is:










    Results (155 votes), past polls