绑定值INSERT INTO mysql perl

时间:2012-03-06 16:25:45

标签: mysql perl bind

新手在这里。只是尝试绑定值以消除sql注入。我有下面的代码,但是我收到了这个错误... 当my.cgi 803行需要47时,调用1个绑定变量。 和输出看起来像.. 

$new_row='53616c7465645f5fd8b88f6a16704f8ebc0a2002dfg45633617bbb0446fa', 'test12', 'user', '2012-03-06', 'xcvb', 'xb', 'xcvbb', 'xcvbb', 'UT', 'US', '4566', '4564564566', 'todd@my.com', 'vbn', '', '200', 'Monthly', 'eBook', 'WebStore', '9.95', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', 'http://my.com', 'my.com', '', '', '', '', '', '', '', '', '2012-03-06', '30-Day-Trial'
$questionmarks=?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?

我用/不用引号和逗号尝试过。任何想法都赞赏。

foreach my $field (@account_field_order) {
$new_row .= "'" . param($field) . "', ";
$questionmarks .="?, ";
}#foreach
$new_row .= "'$status'";
$questionmarks .= "? ";
my $dsn = "DBI:mysql:$database";
my $dbh = DBI->connect($dsn, $MYSQLuserid, $MYSQLpassword ) 
          or die $DBI::errstr;
my $sth = $dbh->prepare(qq(INSERT INTO $table VALUES ($questionmarks) )) 
or  die $DBI::errstr;
$sth->execute(qq($new_row)) or die $DBI::errstr;

2 个答案:

答案 0 :(得分:2)

你应该提供一个列表参数,每个问号一个,而不是包含参数字符串的单个标量参数。当我answered your question之前,我告诉过你:

my @values = map param($_), @account_field_order; # add values to array
push @values, $status;                  # for simplicity
$new_row = join ", ", ("?") x @values;  # add ? for each value

... # basically same code as before, except the execute statement:

$sth->execute(@values);      # arguments given will be inserted at placeholders

$new_row是您的占位符字符串,而不是您的参数列表。 

$new_row .= "'" . param($field) . "', ";
...
$new_row .= "'$status'";
$sth->execute(qq($new_row)) or die $DBI::errstr;

因为$new_row计为一个参数,因为它是一个标量。您需要一个与问号数量相同长度的数组或列表。

答案 1 :(得分:0)

首先,让我们修复第一个语句:

@new_row=('53616c7465645f5fd8b88f6a16704f8ebc0a2002dfg45633617bbb0446fa', 'test12', 'user', '2012-03-06', 'xcvb', 'xb', 'xcvbb', 'xcvbb', 'UT', 'US', '4566', '4564564566', 'todd@my.com', 'vbn', '', '200', 'Monthly', 'eBook', 'WebStore', '9.95', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', 'http://my.com', 'my.com', '', '', '', '', '', '', '', '', '2012-03-06', '30-Day-Trial');
$questionmarks="?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?";

这些将创建一个值数组和一个包含所有?的单个字符串。

然后在执行语句中:

$sth->execute(@new_row) or die $DBI::errstr;

它会将您的值数组传递到执行行,而不是像之前那样传递一个参数。

相关问题
最新问题