我有一个Perl脚本,可以在数据库中添加数据
#!/usr/bin/perl
use cPanelUserConfig;
use strict;
use warnings;
use DBI;
use CGI::Carp qw(warningsToBrowser fatalsToBrowser);
use CGI;
use CGI::Cookie;
use CGI::Session qw();
use JSON;
#use MIME::Lite;
my $CFG = do "config.pl";
my $cgi = CGI->new;
my $db_handle = DBI->connect ("DBI:mysql:$CFG->{database}", $CFG->{user}, $CFG->{password} ) or die "Couldn't connect to database: $DBI::errstr\n";
my $decdata = decode_json($cgi->param('POSTDATA'));
my $CustomerID;# = $decdata->{'CustomerID'};
my $DeliverySlot = $decdata->{'DeliverySlot'};
my $PaymentMode = $decdata->{'PaymentMode'};
my $CustomerName = $decdata->{'CustomerName'};
my $Address = $decdata->{'Address'};
my $City = $decdata->{'City'};
my $Mobile = $decdata->{'Mobile'};
my $th = $db_handle->prepare("select customer_id from table_customers where mobile = '$Mobile'");
$th->execute() or die "Couldn't connect to database: $DBI::errstr\n";
my @data = $th->fetchrow_array();
if ($data[0])
{
$CustomerID = $data[0];
}
else
{
my $sql_query = qq{insert into table_customers values (NULL, '$CustomerName', '$Address', '$Mobile', NULL, NULL)};
my $statement = $db_handle->prepare ($sql_query) or die "Couldn't prepare query '$sql_query': $DBI::errstr\n";
$statement->execute() or die "SQL Error: $DBI::errstr\n";
$CustomerID = $statement->{mysql_insertid};
}
my $sql_query = qq{insert into table_orders values (NULL, '$CustomerID', NOW(), '$PaymentMode', CURDATE(), '$DeliverySlot')};
my $statement = $db_handle->prepare ($sql_query) or die "Couldn't prepare query '$sql_query': $DBI::errstr\n";
$statement->execute() or die "SQL Error: $DBI::errstr\n";
my $id = $statement->{mysql_insertid};
my $sql_query = qq{insert into table_order_status values ($id, 1, NOW())};
my $statement = $db_handle->prepare ($sql_query) or die "Couldn't prepare query '$sql_query': $DBI::errstr\n";
$statement->execute() or die "SQL Error: $DBI::errstr\n";
my $aref = $decdata->{'ItemList'};
for my $element (@$aref)
{
my $i_name = $element->{ItemName};
my $i_quantity = $element->{Quantity};
my $i_mrpprice = $element->{MRP};
my $i_sellprice = $element->{SellPrice};
my $sql_query = qq{insert into table_order_details values ('$id', 2, 2, $i_quantity, '$i_mrpprice', '$i_sellprice', '$i_name')};
my $statement = $db_handle->prepare ($sql_query) or die "Couldn't prepare query '$sql_query': $DBI::errstr\n";
$statement->execute() or die "SQL Error: $DBI::errstr\n";
}
$db_handle->disconnect;
print $cgi->header;
执行脚本时,虽然在DB中输入是完美的,但我在错误日志文件中看到此错误。
[Fri Sep 25 06:57:59.276603 2015] [cgi:error] [pid 530749:tid 140571387594496] [client 61.0.172.200:16058] AH01215: [Fri Sep 25 06:57:59 2015] PlaceOrder.pl: CGI::param called in list context from PlaceOrder.pl line 19, this can lead to vulnerabilities. See the warning in "Fetching the value or values of a single named parameter"
第19行是:
my $decdata = decode_json($cgi->param('POSTDATA'));
这是什么错误以及如何解决。任何帮助或评论都将非常有帮助。
那么,除了指出CGI的非核心,因为它不再被视为是很好的做法,它的值得一试CGI::Alternatives(我知道这并不总是可能的,因为它会保证全部重写):
my $decdata = decode_json(scalar $cgi->param('POSTDATA'));
问题是-如果您要的是值列表或单个值,该param方法会在内部进行检测。(请参阅:)wantarray()。但是因为您要将其传递给函数(decode_json)-它位于列表上下文中。鉴于您的帖子,这似乎不太可能是您想要的-因此,通过scalar(或只是"".)强制执行标量上下文将达到目的
本文收集自互联网,转载请注明来源。
如有侵权,请联系 [email protected] 删除。
我来说两句