- Normally in Perl when you are taking data that you got from a form
and inserting it into a database, you should be really careful about
removing single quotes, double quotes and commas from the input. You
can do this for individual form entries like this:
$entry1 =~ s/\"/_/g;
$entry1 =~ s/\'/_/g;
$entry1 =~ s/,/_/g;
The down side of this is that it replaces these characters with
underscores. The underscores will show up in your data and it is hard
to get them out, because you can't easily distinguish them from real
underscores that belong in your data.
- An easier way to achieve the same effect in Perl is to use a
special feature of the execute command. When inserting data into your
database, go through the following steps to take care of quotes
without having to modify your data:
# construct your SQL insert command with question marks
my $sql = "insert into csplayground.survey values (
?, ?, ?, ?, ?, ?, ?, ?, ?, ?);";
my $sth = $dbh->prepare ($sql);
$sth->execute ($entry1,
$entry2,
$entry3,
. . .
);
This will take care of data cleanup for you. Note that the number of
question marks has to exactly match the number of data fields that you
are entering and those fields have to be in the right order in the
execute call.
- PHP has a function called addslashes that will put
backslashes in front of characters that would be interpreted by SQL
(single quote, double quote, backslash and the NULL character). You
may also want to remove slashes later, if there was some legitimate
reason for them to be there in the first place.
$str = addslashes($str);
# To remove the slashes later, use stripslashes
. . .
$str = stripslashes($str);
- PHP has a nice built-in way to cleanup HTML input, the
htmlspecialchars function. This function replaces
ampersand, double quote, single quote, less than and greater than with
their equivalent character encodings.
$str = htmlspecialchars($str);
- There are several ways to get a Perl script to send email. As we
have discussed, you want to be really careful about this, especially
about the to: field of the message. This is especially true if you
use the pipe method (with the |), because a semi-colon could stop the
current command and start another one that does just about anything.
You should probably limit form input that is going to be used in that
kind of mail to alphanumeric character and simple punctuation. There
are Perl modules (that I don't know very well) that send mail in more
robust ways.
- In PHP there is a really nice built-in mail command called
mail. It is really easy to use. It takes three required
parameters and a fourth optional one. The three required parameters
are a to string, a subject string and a message
string. The optional fourth argument can be a string that contains
additional headers. For example:
mail("agarvey@truman.edu", "Test Message", $message);
where $message is a string containing a message with \n to
separate the lines.
By default on xenon the message will be from
apache@truman.edu, but you can change this by putting a
from field in the header string. For example,
mail("agarvey@truman.edu", "Whatever", $message,
"From: me@truman.edu\r\n
Reply-to: me@truman.edu\r\n");
\r\n is just the standard carriage return, linefeed.