[ic] SQL query returning no results
Kevin Walsh
kevin at cursor.biz
Fri Oct 27 09:26:16 EDT 2006
"graham hadgraft" <graham.hadgraft at gmail.com> wrote:
> On 27/10/06, Peter <peter at pajamian.dhs.org> wrote:
> > I recommend that you do something like this instead (untested):
> >
> > [perl tables=products interpolate=0]
> > # interpolate=0 because you don't have any tags in this block
> > # that need to be parsed ahead of time.
> > my @array = split(/-/,$CGI->{from});
> > my $db = $Db{products};
> > # Specify your return fields to avoid unecessary overhead,
> > # and also you know what order they come in that way.
> > my $sql = "SELECT description FROM products WHERE icons LIKE '%'";
> >
> > foreach (@array) {
> > # Quote any untrusted input to prevent an SQL injection
> > # attack.
> > my $test = $db->quote("\%$_\%");
> > $sql .= " AND icons LIKE $test";
> > }
> >
> > # This is a better way of sending a query from a [perl] block.
> > # it returns an array ref of array refs (rather than hash refs)
> > # so it is handy to know what order the fields get returned in.
> > my $ref = $db->query($sql);
> >
> > # This is just another way of joining up the results. You can
> > # assign it to a variable and return the variable, or return
> > # this code directly, or just leave it like this and the return
> > # value will still be the same because it falls off the end of
> > # the [perl] block.
> > join ('', map { $_->[0] . 'test<br>' } @$ref);
> > [/perl]
> >
> Using this code if the checkbox had only one value selected the code
> works however when more than one check box is selected it stops
> working despite the query being used working in direct sql.
>
> Any idea why this would happen. Trying this with the previous code i
> had it also does the same. Sql injection will not be a problem as
> this page is only available on a page only used by me and someone else
> in my company as this is on the admin page.
>
I see you are splitting $CGI->{from} using /-/. Did you add the "-"
character to the end of each of the checkbox values so that you could
split on it in your code?
If so then don't do that; Don't add the "-" - just split $CGI->{from}
using /\0/ instead.
--
_/ _/ _/_/_/_/ _/ _/ _/_/_/ _/ _/
_/_/_/ _/_/ _/ _/ _/ _/_/ _/ K e v i n W a l s h
_/ _/ _/ _/ _/ _/ _/ _/_/ kevin at cursor.biz
_/ _/ _/_/_/_/ _/ _/_/_/ _/ _/
More information about the interchange-users
mailing list