Perl中的"CGI :: param在列表上下文中调用"警告

Dev*_*wal 3 perl

我有一个在数据库中添加数据的perl脚本

    #!/usr/bin/perl
    use cPanelUserConfig;


    use strict;
    use warnings;
    use DBI;
    use CGI::Carp qw(warningsToBrowser fatalsToBrowser);
    use CGI;
    use CGI::Cookie;
    use CGI::Session qw();
    use JSON;
    #use MIME::Lite;

    my $CFG = do "config.pl";
    my $cgi = CGI->new;
    my $db_handle = DBI->connect ("DBI:mysql:$CFG->{database}", $CFG->{user}, $CFG->{password} ) or die "Couldn't connect to database: $DBI::errstr\n";

    my $decdata = decode_json($cgi->param('POSTDATA'));

    my $CustomerID;# = $decdata->{'CustomerID'};
    my $DeliverySlot = $decdata->{'DeliverySlot'};
    my $PaymentMode = $decdata->{'PaymentMode'};
    my $CustomerName = $decdata->{'CustomerName'};
    my $Address = $decdata->{'Address'};
    my $City = $decdata->{'City'};
    my $Mobile = $decdata->{'Mobile'};

    my $th = $db_handle->prepare("select customer_id from table_customers where mobile = '$Mobile'");
    $th->execute() or die "Couldn't connect to database: $DBI::errstr\n";
    my @data = $th->fetchrow_array();
    if ($data[0]) 
    {
        $CustomerID = $data[0];
    }
    else
    {
        my $sql_query = qq{insert into table_customers values (NULL, '$CustomerName', '$Address', '$Mobile', NULL, NULL)};
        my $statement = $db_handle->prepare ($sql_query)    or die "Couldn't prepare query '$sql_query': $DBI::errstr\n";  
        $statement->execute()   or die "SQL Error: $DBI::errstr\n";  
        $CustomerID = $statement->{mysql_insertid};
    }

    my $sql_query = qq{insert into table_orders values (NULL, '$CustomerID', NOW(),  '$PaymentMode', CURDATE(), '$DeliverySlot')};
    my $statement = $db_handle->prepare ($sql_query)    or die "Couldn't prepare query '$sql_query': $DBI::errstr\n";  
    $statement->execute()   or die "SQL Error: $DBI::errstr\n";  


    my $id = $statement->{mysql_insertid};
    my $sql_query = qq{insert into table_order_status values ($id, 1, NOW())};
    my $statement = $db_handle->prepare ($sql_query)    or die "Couldn't prepare query '$sql_query': $DBI::errstr\n";  
    $statement->execute()   or die "SQL Error: $DBI::errstr\n";  



    my $aref = $decdata->{'ItemList'};

    for my $element (@$aref)
    {
        my $i_name = $element->{ItemName}; 
        my $i_quantity = $element->{Quantity}; 
        my $i_mrpprice = $element->{MRP}; 
        my $i_sellprice = $element->{SellPrice};

        my $sql_query = qq{insert into table_order_details values ('$id', 2, 2, $i_quantity, '$i_mrpprice', '$i_sellprice', '$i_name')};
        my $statement = $db_handle->prepare ($sql_query)    or die "Couldn't prepare query '$sql_query': $DBI::errstr\n";  
        $statement->execute()   or die "SQL Error: $DBI::errstr\n";  
    }


    $db_handle->disconnect;

    print $cgi->header;
Run Code Online (Sandbox Code Playgroud)

在执行脚本时,我在错误日志文件中看到此错误,尽管在DB中输入是完美的.

[Fri Sep 25 06:57:59.276603 2015] [cgi:error] [pid 530749:tid 140571387594496] [client 61.0.172.200:16058] AH01215: [Fri Sep 25 06:57:59 2015] PlaceOrder.pl: CGI::param called in list context from PlaceOrder.pl line 19, this can lead to vulnerabilities. See the warning in "Fetching the value or values of a single named parameter" 
Run Code Online (Sandbox Code Playgroud)

第19行是:

my $decdata = decode_json($cgi->param('POSTDATA'));
Run Code Online (Sandbox Code Playgroud)

这是什么错误以及如何解决这个问题.任何帮助或评论都将非常有帮助.

Sob*_*que 10

那么,除了指出CGI非核心,因为它不再被视为是很好的做法,它是值得一试CGI::Alternatives(我知道这并不总是可能的,因为它会保证全部重写):

my $decdata = decode_json(scalar $cgi->param('POSTDATA'));
Run Code Online (Sandbox Code Playgroud)

问题是 - 如果您要求的是值列表或单个值,param方法会在内部进行检测.(见:) wantarray().但是因为你将它传递给一个函数(decode_json) - 它在列表上下文中.考虑到你的帖子,这似乎不太可能是你想要的 - 所以通过scalar(或者只是"".)强制执行标量上下文就可以了