Question

我有這種形式，看起來像這樣的CGI文件：

print "<FORM NAME='LAYOUTFORM' ACTION='Handler.cgi' METHOD=POST>"; 
print "<table border='0' align=center>\n"; 
print "<tr><td>Search by:<SELECT ID='Forms Combo Box1' NAME='what_to_do'><OPTION VALUE='title'>Title</OPTION><OPTION VALUE='description'>Description</OPTION><OPTION VALUE='author'>Author</OPTION></td>"; 
print "<td><INPUT ID='SearchArea' TYPE=TEXT NAME='searchbox' VALUE='' SIZE=27 MAXLENGTH=100></td>"; 
print "<td><INPUT TYPE=SUBMIT NAME='searchbutton' VALUE='Search' ID='Form_Search'></td></tr>"; 
print "</table>\n"; 
print "</form>"; 

然後，我有這樣的：

#!/usr/local/bin/perl 

use DBI; 
use DBD::mysql; 
use CGI qw(:standard); 

$searchinput = param('searchbox'); 

print "Content-type: text/html\n\n"; 

my $dbh = DBI->connect("DBI:mysql:database", "username", "password") or 
die("Could not make connection to database: $DBI::errstr"); 

my $sth = $dbh->prepare(q(SELECT * FROM BookStore WHERE bAuthor = $searchinput)) or 
die("Cannot prepare statement: ", $dbh->errstr(), "\n"); 

my $rc = $sth->execute() or 
die("Cannot execute statement: ", $sth->errstr(), "\n"); 

我得到這個錯誤在命令行：

Uknown column '$searchinput' in 'where clause' at Search.cgi line 17. 

我想要做的是用戶將輸入一個名字到main.cgi的文本框中。然後點擊搜索按鈕，search.cgi將檢索表格列中匹配行的信息。

Answer 1

嘗試改變這一行：

my $sth = $dbh->prepare(q(SELECT * FROM BookStore WHERE bAuthor = $searchinput)) or 
die("Cannot prepare statement: ", $dbh->errstr(), "\n"); 

要：

my $query = sprintf ('SELECT * FROM BookStore WHERE bAuthor = %s', 
        $dbh->quote("$searchinput"));