Menu
I have a perl script that adds data in database
#!/usr/bin/perl
use cPanelUserConfig;
use strict;
use warnings;
use DBI;
use CGI::Carp qw(warningsToBrowser fatalsToBrowser);
use CGI;
use CGI::Cookie;
use CGI::Session qw();
use JSON;
#use MIME::Lite;
my $CFG = do "config.pl";
my $cgi = CGI->new;
my $db_handle = DBI->connect ("DBI:mysql:$CFG->{database}", $CFG->{user}, $CFG->{password} ) or die "Couldn't connect to database: $DBI::errstr\n";
my $decdata = decode_json($cgi->param('POSTDATA'));
my $CustomerID;# = $decdata->{'CustomerID'};
my $DeliverySlot = $decdata->{'DeliverySlot'};
my $PaymentMode = $decdata->{'PaymentMode'};
my $CustomerName = $decdata->{'CustomerName'};
my $Address = $decdata->{'Address'};
my $City = $decdata->{'City'};
my $Mobile = $decdata->{'Mobile'};
my $th = $db_handle->prepare("select customer_id from table_customers where mobile = '$Mobile'");
$th->execute() or die "Couldn't connect to database: $DBI::errstr\n";
my @data = $th->fetchrow_array();
if ($data[0])
{
$CustomerID = $data[0];
}
else
{
my $sql_query = qq{insert into table_customers values (NULL, '$CustomerName', '$Address', '$Mobile', NULL, NULL)};
my $statement = $db_handle->prepare ($sql_query) or die "Couldn't prepare query '$sql_query': $DBI::errstr\n";
$statement->execute() or die "SQL Error: $DBI::errstr\n";
$CustomerID = $statement->{mysql_insertid};
}
my $sql_query = qq{insert into table_orders values (NULL, '$CustomerID', NOW(), '$PaymentMode', CURDATE(), '$DeliverySlot')};
my $statement = $db_handle->prepare ($sql_query) or die "Couldn't prepare query '$sql_query': $DBI::errstr\n";
$statement->execute() or die "SQL Error: $DBI::errstr\n";
my $id = $statement->{mysql_insertid};
my $sql_query = qq{insert into table_order_status values ($id, 1, NOW())};
my $statement = $db_handle->prepare ($sql_query) or die "Couldn't prepare query '$sql_query': $DBI::errstr\n";
$statement->execute() or die "SQL Error: $DBI::errstr\n";
my $aref = $decdata->{'ItemList'};
for my $element (@$aref)
{
my $i_name = $element->{ItemName};
my $i_quantity = $element->{Quantity};
my $i_mrpprice = $element->{MRP};
my $i_sellprice = $element->{SellPrice};
my $sql_query = qq{insert into table_order_details values ('$id', 2, 2, $i_quantity, '$i_mrpprice', '$i_sellprice', '$i_name')};
my $statement = $db_handle->prepare ($sql_query) or die "Couldn't prepare query '$sql_query': $DBI::errstr\n";
$statement->execute() or die "SQL Error: $DBI::errstr\n";
}
$db_handle->disconnect;
print $cgi->header;
While executing the script i am seeing this error in error log file, though entry is perfect in DB.
[Fri Sep 25 06:57:59.276603 2015] [cgi:error] [pid 530749:tid 140571387594496] [client 61.0.172.200:16058] AH01215: [Fri Sep 25 06:57:59 2015] PlaceOrder.pl: CGI::param called in list context from PlaceOrder.pl line 19, this can lead to vulnerabilities. See the warning in "Fetching the value or values of a single named parameter"
Line 19 is:
my $decdata = decode_json($cgi->param('POSTDATA'));
What is this error and how to fix this. Any help or comments will be highly helpful.
423
Well, aside from pointing out that CGI is non-core because it's no longer deemed good practice and it's worth checking out CGI::Alternatives (I know that's not always possible, because it'd warrant a full rewrite):
my $decdata = decode_json(scalar $cgi->param('POSTDATA'));
The problem is - the param method detects internally if you're asking for a list of values or a single value. (See: wantarray()). But because you're passing it into a function (decode_json) - it's in a list context. It seems unlikely this is what you want, given your post - so enforcing scalar context via scalar (or just "".) will do the trick
150
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
