My query string:
$query = 'INSERT INTO mm_contacts (name, email, phone, comments) VALUES (" \"$FORM{name}\", \"$FORM{email}\", \"$FORM{phone}\", \"$FORM{comments}\" " )';
Is coming out as follows:
INSERT INTO mm_contacts (name, email, phone, comments) VALUES (" \"$FORM{name}\", \"$FORM{email}\", \"$FORM{phone}\", \"$FORM{comments}\" " )
It needs to resolve to something like this, I believe:
$query = 'INSERT INTO mm_contacts (name, email, phone, comments) VALUES ("Testy Test", "test@test.com", 216-875-8758, "This is a test")';
$query = qq{INSERT INTO mm_contacts (name, email, phone, comments) VALUES (" "$FORM{name}", "$FORM{email}", "$FORM{phone}", "$FORM{comments}" " )};
Not sure if you need all those double-quotes in the VALUES
But you want to look into using placeholders instead of plugging your perl variables directly into your INSERT statements.
variable interpolation does not occur within single quoted strings.
you could try using the string concatenation operator (.) for perl:
$query = 'INSERT INTO mm_contacts (name, email, phone, comments) VALUES ("' . $FORM{name} . '", "' . $FORM{email} . '", "' . $FORM{phone} . '", "' . $FORM{comments} . '" )';
$FORM{'comments'} = 'This is a "cool site", thank you';
$query = qq{INSERT INTO mm_contacts (name, email, phone, comments) VALUES ("$FORM{name}", "$FORM{email}", "$FORM{phone}", "$FORM{comments}");};
When it goes to insert the comments value, mySQL will "think" the value ends at the first quote [This is a "] and won't know what to do with the second part of the value [cool site", thank you] and will error.
The two approaches to this are to escape the quote delimiter,
$FORM{'comments'} =~ s/"+/\\"/g;
Or to double the delimiter.
$FORM{'name'} =~ s/"+/""/g;
$FORM{'phone'} =~ s/"+/""/g;
$FORM{'email'} =~ s/"+/""/g;
$FORM{'comments'} =~ s/"+/""/g;
Of course, a loop or sub for this purpose would be more efficient)
The double delimiter allows the value to insert normally.
Two other bits of advice:
You may want to use single quotes in your select value delimiters; on the average, there are likely to be more double quoted values being stored, especially if html is any part of your input:
$query = qq{INSERT INTO mm_contacts (name, email, phone, comments) VALUES ('$FORM{name}', '$FORM{email}', '$FORM{phone}', '$FORM{comments}');};
... and treat it the same for the O'Malley's out there:
$FORM{'name'} =~ s/'+/''/g;
$FORM{'phone'} =~ s/'+/''/g;
$FORM{'email'} =~ s/'+/''/g;
$FORM{'comments'} =~ s/'+/''/g;
The second is, you should never ever allow form data to be directly used for database inserts or other program functions. It needs to be cleansed before doing an insert. The "basic rule" is if input data is stored anywhere (in a database) or is directly echoed back to the page, you open yourself to mySQL injection, Cross Site Scripting, or worse. Exchange "example.com" for your site, example.cgi for your script, any field for your input form:
http://www.example.com/cgi-bin/example.cgi?name=%22%3E%3Cscript%3Ealert%28123%29%3C%2Fscript%3E%22
The above is harmless, but if you run it and get a Javascript alert "123" your data is not being adequately cleansed and you have a potential injection problem.
Cheers, B
