我有一个在数据库中添加数据的perl脚本
#!/usr/bin/perl
use cPanelUserConfig;
use strict;
use warnings;
use DBI;
use CGI::Carp qw(warningsToBrowser fatalsToBrowser);
use CGI;
use CGI::Cookie;
use CGI::Session qw();
use JSON;
#use MIME::Lite;
my $CFG = do "config.pl";
my $cgi = CGI->new;
my $db_handle = DBI->connect ("DBI:mysql:$CFG->{database}", $CFG->{user}, $CFG->{password} ) or die "Couldn't connect to database: $DBI::errstr\n";
my $decdata = decode_json($cgi->param('POSTDATA'));
my $CustomerID;# = $decdata->{'CustomerID'};
my $DeliverySlot = $decdata->{'DeliverySlot'};
my $PaymentMode = $decdata->{'PaymentMode'};
my $CustomerName = $decdata->{'CustomerName'};
my $Address = $decdata->{'Address'};
my $City = $decdata->{'City'};
my $Mobile = $decdata->{'Mobile'};
my $th = $db_handle->prepare("select customer_id from table_customers where mobile = '$Mobile'");
$th->execute() or die "Couldn't connect to database: $DBI::errstr\n";
my @data = $th->fetchrow_array();
if ($data[0])
{
$CustomerID = $data[0];
}
else
{
my $sql_query = qq{insert into table_customers values (NULL, '$CustomerName', '$Address', '$Mobile', NULL, NULL)};
my $statement = $db_handle->prepare ($sql_query) or die "Couldn't prepare query '$sql_query': $DBI::errstr\n";
$statement->execute() or die "SQL Error: $DBI::errstr\n";
$CustomerID = $statement->{mysql_insertid};
}
my $sql_query = qq{insert into table_orders values (NULL, '$CustomerID', NOW(), '$PaymentMode', CURDATE(), '$DeliverySlot')};
my $statement = $db_handle->prepare ($sql_query) or die "Couldn't prepare query '$sql_query': $DBI::errstr\n";
$statement->execute() or die "SQL Error: $DBI::errstr\n";
my $id = $statement->{mysql_insertid};
my $sql_query = qq{insert into table_order_status values ($id, 1, NOW())};
my $statement = $db_handle->prepare ($sql_query) or die "Couldn't prepare query '$sql_query': $DBI::errstr\n";
$statement->execute() or die "SQL Error: $DBI::errstr\n";
my $aref = $decdata->{'ItemList'};
for my $element (@$aref)
{
my $i_name = $element->{ItemName};
my $i_quantity = $element->{Quantity};
my $i_mrpprice = $element->{MRP};
my $i_sellprice = $element->{SellPrice};
my $sql_query = qq{insert into table_order_details values ('$id', 2, 2, $i_quantity, '$i_mrpprice', '$i_sellprice', '$i_name')};
my $statement = $db_handle->prepare ($sql_query) or die "Couldn't prepare query '$sql_query': $DBI::errstr\n";
$statement->execute() or die "SQL Error: $DBI::errstr\n";
}
$db_handle->disconnect;
print $cgi->header;
Run Code Online (Sandbox Code Playgroud)
在执行脚本时,我在错误日志文件中看到此错误,尽管在DB中输入是完美的.
[Fri Sep 25 06:57:59.276603 2015] [cgi:error] [pid 530749:tid 140571387594496] [client 61.0.172.200:16058] AH01215: [Fri Sep 25 06:57:59 2015] PlaceOrder.pl: CGI::param called in list context from PlaceOrder.pl line 19, this can lead to vulnerabilities. See the warning in "Fetching the value or values of a single named parameter"
Run Code Online (Sandbox Code Playgroud)
第19行是:
my $decdata = decode_json($cgi->param('POSTDATA'));
Run Code Online (Sandbox Code Playgroud)
这是什么错误以及如何解决这个问题.任何帮助或评论都将非常有帮助.
Sob*_*que 10
那么,除了指出CGI的非核心,因为它不再被视为是很好的做法,它是值得一试CGI::Alternatives(我知道这并不总是可能的,因为它会保证全部重写):
my $decdata = decode_json(scalar $cgi->param('POSTDATA'));
Run Code Online (Sandbox Code Playgroud)
问题是 - 如果您要求的是值列表或单个值,该param方法会在内部进行检测.(见:) wantarray().但是因为你将它传递给一个函数(decode_json) - 它在列表上下文中.考虑到你的帖子,这似乎不太可能是你想要的 - 所以通过scalar(或者只是"".)强制执行标量上下文就可以了
| 归档时间: |
|
| 查看次数: |
4812 次 |
| 最近记录: |