1
我有這種形式,看起來像這樣的CGI文件:檢索值從MySQL表的
print "<FORM NAME='LAYOUTFORM' ACTION='Handler.cgi' METHOD=POST>";
print "<table border='0' align=center>\n";
print "<tr><td>Search by:<SELECT ID='Forms Combo Box1' NAME='what_to_do'><OPTION VALUE='title'>Title</OPTION><OPTION VALUE='description'>Description</OPTION><OPTION VALUE='author'>Author</OPTION></td>";
print "<td><INPUT ID='SearchArea' TYPE=TEXT NAME='searchbox' VALUE='' SIZE=27 MAXLENGTH=100></td>";
print "<td><INPUT TYPE=SUBMIT NAME='searchbutton' VALUE='Search' ID='Form_Search'></td></tr>";
print "</table>\n";
print "</form>";
然後,我有這樣的:
#!/usr/local/bin/perl
use DBI;
use DBD::mysql;
use CGI qw(:standard);
$searchinput = param('searchbox');
print "Content-type: text/html\n\n";
my $dbh = DBI->connect("DBI:mysql:database", "username", "password") or
die("Could not make connection to database: $DBI::errstr");
my $sth = $dbh->prepare(q(SELECT * FROM BookStore WHERE bAuthor = $searchinput)) or
die("Cannot prepare statement: ", $dbh->errstr(), "\n");
my $rc = $sth->execute() or
die("Cannot execute statement: ", $sth->errstr(), "\n");
我得到這個錯誤在命令行:
Uknown column '$searchinput' in 'where clause' at Search.cgi line 17.
我想要做的是用戶將輸入一個名字到main.cgi的文本框中。然後點擊搜索按鈕,search.cgi將檢索表格列中匹配行的信息。
這創造了奇蹟和完美。非常感謝你將標記爲已回答。 – Shawn 2013-05-11 00:22:36
你的第一個建議是[等待發生的災難](http://xkcd.com/327/)。始終使用不受信任的用戶輸入的佔位符。 – mob 2013-05-11 17:47:56