Check my code please... HTML form->Perl->mySQL db
Posted by: Dustin Pankratz
Date: March 30, 2009 11:26PM
Date: March 30, 2009 11:26PM
I was given a project to create a simple HTML registration form in which the data is validated using Javascript. It is then validated on the server side using Perl before being sent to a mySQL database. This is my first time using Perl so I would appreciate some expert feedback. Have I gotten this right? Any productive feedback will be greatly appreciated. Thanks.
db_register.sql:
register.cgi:
1. I think I already caught one minor error. In the sub "validate_form" I'm using a variable named $query but below when I create a new CGI object I named it $q. These need to match.
2. Does the sub process_form need to exist before it's being called upon?
Edited 1 time(s). Last edit at 03/31/2009 01:21AM by Dustin Pankratz.
db_register.sql:
CREATE DATABASE db_register; USE db_register; CREATE TABLE contact ( fname VARCHAR(20) NOT NULL, lname VARCHAR(20) NOT NULL, address VARCHAR(30), city VARCHAR(20), state VARCHAR(2), zip SMALLINT(5), phone VARCHAR(12), email VARCHAR(30) NOT NULL, PRIMARY KEY(email) );
register.cgi:
sub display_form
{
my $error_message = shift;
my $fname = shift;
my $lname = shift;
my $address = shift;
my $city = shift;
my $state = shift;
my $zip = shift;
my $phone = shift;
my $email = shift;
# Remove and potentially malicious HTML tags
$fname =~ s/<([^>]|\n)*>//g;
$lname =~ s/<([^>]|\n)*>//g;
$address =~ s/<([^>]|\n)*>//g;
$city =~ s/<([^>]|\n)*>//g;
$state =~ s/<([^>]|\n)*>//g;
$zip =~ s/<([^>]|\n)*>//g;
$phone =~ s/<([^>]|\n)*>//g;
$email =~ s/<([^>]|\n)*>//g;
#Display the form
print <<END_HTML;
<html>
<head>
<title>Newsletter Registration Form</title>
</head>
<body>
<script type="text/javascript">
<!--
function validate_form ( )
{
valid = true;
// validate name fields
if ( document.registration_form.fname.value == "" )
{
alert ( "Please fill in the 'First Name' box." );
valid = false;
}
if ( document.registration_form.lname.value == "" )
{
alert ( "Please fill in the 'Last Name' box." );
valid = false;
}
// validate address field
if ( document.registration_form.address.value == "" )
{
alert ( "Please fill in the 'Address' box." );
valid = false;
}
// validate city field
if ( document.registration_form.city.value == "" )
{
alert ( "Please fill in the 'City' box." );
valid = false;
}
// validate state field
if ( document.registration_form.state.value == "" )
{
alert ( "Please fill in the 'State' box." );
valid = false;
}
// validate zip field
if ( document.registration_form.zip.value == "" )
{
alert ( "Please fill in the 'Zip' box." );
valid = false;
}
else if ( isNaN( document.registration_form.zip.value ) )
{
alert ( "Please enter a 5-digit zip code." );
valid = false;
}
// validate phone field
if ( document.registration_form.phone.value == "" )
{
alert ( "Please fill in the 'Phone' box." );
valid = false;
}
else if ( isNaN( document.registration_form.phone.value ) )
{
alert ( "Please enter a 10-digit phone number." );
valid = false;
}
// validate email field
var emailFilter=/^.+@.+\..{2,3}$/;
if ( document.registration_form.email.value == "" )
{
alert ( "Please fill in the 'Email' box." );
valid = false;
}
else if (!(emailFilter.test(document.registration_form.email.value))) {
alert ("Please enter a valid email address.");
valid = false;
}
if ( valid == true )
{
alert ("Thank you for registering." );
}
return valid;
}
//-->
</script>
<h1>Newsletter Registration Form</h1>
<p>$error_message</p>
<FORM NAME="registration_form" ACTION="form_validation.cgi" METHOD="POST" onsubmit="return validate_form();">
<table border="3" width="100%" bgcolor="#D5D5FF" bordercolor="blue" cellspacing="0">
<tr>
<td width="30%" align="right"><b>First Name:</b></td>
<td width="70%"><INPUT TYPE="text" NAME="fname" VALUE="$fname" SIZE=40></td>
</tr>
<tr>
<td width="30%" align="right"><b>Last Name:</b></td>
<td width="70%"><INPUT TYPE="text" NAME="lname" VALUE="$lname" SIZE=40></td>
</tr>
<tr>
<td width="30%" align="right"><b>Address:</b></td>
<td width="70%"><INPUT TYPE="text" NAME="address" VALUE="$address" SIZE=40></td>
</tr>
<tr>
<td width="30%" align="right"><b>City:</b></td>
<td width="70%"><INPUT TYPE="text" NAME="city" VALUE="$city" SIZE=40></td>
</tr>
<tr>
<td width="30%" align="right"><b>State:</b></td>
<td width="70%"><INPUT TYPE="text" NAME="state" VALUE="$state" SIZE=2 MAXLENGTH="2"></td>
</tr>
<tr>
<td width="30%" align="right"><b>Zip:</b></td>
<td width="70%"><INPUT TYPE="text" NAME="zip" VALUE="$zip" SIZE=5 MAXLENGTH="5"></td>
</tr>
<tr>
<td width="30%" align="right"><b>Phone:</b><br>Do not include () or -</td>
<td width="70%"><INPUT TYPE="text" NAME="phone" VALUE="$phone" SIZE=10 MAXLENGTH=10></td>
</tr>
<tr>
<td width="30%" align="right"><b>Email:</b></td>
<td width="70%"><INPUT TYPE="text" NAME="email" VALUE="$email" SIZE=40></td>
</tr>
</table>
<br>
<hr size="2" color="blue">
<center>
<INPUT TYPE="submit" VALUE="Submit Data">
<INPUT TYPE="reset" VALUE="Clear Data">
</center>
</FORM>
</body></html>
END_HTML
}
sub validate_form
{
my $fname = $query->param("fname");
my $lname = $query->param("lname");
my $address = $query->param("address");
my $city = $query->param("city");
my $state = $query->param("state");
my $zip = $query->param("zip");
my $phone = $query->param("phone");
my $email = $query->param("email");
my $error_message = "";
$error_message .= "Please enter your first name<br/>" if ( !$fname );
$error_message .= "Please enter your last name<br/>" if ( !$lname );
$error_message .= "Please enter your address<br/>" if ( !$address );
$error_message .= "Please enter your city<br/>" if ( !$city );
$error_message .= "Please enter your state<br/>" if ( !$state );
$error_message .= "Please enter your zip<br/>" if ( !$zip );
$error_message .= "Please enter your phone<br/>" if ( !$phone );
$error_message .= "Please enter your email<br/>" if ( !$email );
if ( $error_message )
{
# Errors with the form - redisplay it and return failure
display_form ( $error_message, $fname, $lname, $address, $city, $state, $zip, $phone, $email );
return 0;
}
else
{
# Form OK - return success
return 1;
}
}
#!/usr/bin/perl
use warnings;
use CGI;
use CGI::Carp qw(fatalsToBrowser);
use DBI;
# Connection to CGI and Database
$q = new CGI;
$dbh = DBI->connect('dbi:mysql:database=db_register','','',{RaiseError=>1});
# Output the HTTP header
print $q->header ();
# Process form if submitted; otherwise display it
if ( $q->param("submit") )
{
process_form();
}
else
{
display_form();
}
sub process_form
{
if ( validate_form () )
{
# Insert form elements into database
my $sql= $dbh->prepare('INSERT INTO contact(fname,lname,address,city,state,zip,phone,email)
values("$fname","$lname","$address","$city","$state","$zip","$phone","$email")');
$sql->execute();
# Finish database connection
$dbh->disconnect if $dbh;
# Display Thank You page
print <<END_HTML;
<html><head><title>Thank You</title></head>
<body>
Thank you for registering!
</body></html>
END_HTML
}
}
1. I think I already caught one minor error. In the sub "validate_form" I'm using a variable named $query but below when I create a new CGI object I named it $q. These need to match.
2. Does the sub process_form need to exist before it's being called upon?
Edited 1 time(s). Last edit at 03/31/2009 01:21AM by Dustin Pankratz.
Subject
Written By
Posted
Sorry, you can't reply to this topic. It has been closed.
Content reproduced on this site is the property of the respective copyright holders. It is not reviewed in advance by Oracle and does not necessarily represent the opinion of Oracle or any other party.