in reply to Re^2: CGI Action call
in thread CGI Action call
You are reading untrusted user input and use that to create an SQL statement. This is highly unsafe:
... my $searchterm = $query->param('searchterm'); ... my $stmt = "SELECT * FROM users WHERE $searchfield = $searchterm"; ... my $sth = $dbh->prepare ($stmt) or die "Error Preparing:\n" . $stmt . +"\nDBI returned: \n", $dbh->errstr; $sth->execute () or die "Unable to execute query: " . $sth->errstr +;
Please read DBI and learn about placeholders. You should never interpolate user input into SQL (or likely, any other kind of textual data).
You should rewrite your SQL statement and then use placeholders:
my $stmt = "SELECT * FROM users WHERE $searchfield = ?"; ... my $sth = $dbh->prepare ($stmt) or die "Error Preparing:\n" . $stm +t . "\nDBI returned: \n", $dbh->errstr; $sth->execute($searchterm) or die "Unable to execute query: " . $s +th->errstr;
In Section
Seekers of Perl Wisdom