"CGI::param called in list context" Perl 中的警告
"CGI::param called in list context" warning in Perl
我有一个在数据库中添加数据的 perl 脚本
#!/usr/bin/perl
use cPanelUserConfig;
use strict;
use warnings;
use DBI;
use CGI::Carp qw(warningsToBrowser fatalsToBrowser);
use CGI;
use CGI::Cookie;
use CGI::Session qw();
use JSON;
#use MIME::Lite;
my $CFG = do "config.pl";
my $cgi = CGI->new;
my $db_handle = DBI->connect ("DBI:mysql:$CFG->{database}", $CFG->{user}, $CFG->{password} ) or die "Couldn't connect to database: $DBI::errstr\n";
my $decdata = decode_json($cgi->param('POSTDATA'));
my $CustomerID;# = $decdata->{'CustomerID'};
my $DeliverySlot = $decdata->{'DeliverySlot'};
my $PaymentMode = $decdata->{'PaymentMode'};
my $CustomerName = $decdata->{'CustomerName'};
my $Address = $decdata->{'Address'};
my $City = $decdata->{'City'};
my $Mobile = $decdata->{'Mobile'};
my $th = $db_handle->prepare("select customer_id from table_customers where mobile = '$Mobile'");
$th->execute() or die "Couldn't connect to database: $DBI::errstr\n";
my @data = $th->fetchrow_array();
if ($data[0])
{
$CustomerID = $data[0];
}
else
{
my $sql_query = qq{insert into table_customers values (NULL, '$CustomerName', '$Address', '$Mobile', NULL, NULL)};
my $statement = $db_handle->prepare ($sql_query) or die "Couldn't prepare query '$sql_query': $DBI::errstr\n";
$statement->execute() or die "SQL Error: $DBI::errstr\n";
$CustomerID = $statement->{mysql_insertid};
}
my $sql_query = qq{insert into table_orders values (NULL, '$CustomerID', NOW(), '$PaymentMode', CURDATE(), '$DeliverySlot')};
my $statement = $db_handle->prepare ($sql_query) or die "Couldn't prepare query '$sql_query': $DBI::errstr\n";
$statement->execute() or die "SQL Error: $DBI::errstr\n";
my $id = $statement->{mysql_insertid};
my $sql_query = qq{insert into table_order_status values ($id, 1, NOW())};
my $statement = $db_handle->prepare ($sql_query) or die "Couldn't prepare query '$sql_query': $DBI::errstr\n";
$statement->execute() or die "SQL Error: $DBI::errstr\n";
my $aref = $decdata->{'ItemList'};
for my $element (@$aref)
{
my $i_name = $element->{ItemName};
my $i_quantity = $element->{Quantity};
my $i_mrpprice = $element->{MRP};
my $i_sellprice = $element->{SellPrice};
my $sql_query = qq{insert into table_order_details values ('$id', 2, 2, $i_quantity, '$i_mrpprice', '$i_sellprice', '$i_name')};
my $statement = $db_handle->prepare ($sql_query) or die "Couldn't prepare query '$sql_query': $DBI::errstr\n";
$statement->execute() or die "SQL Error: $DBI::errstr\n";
}
$db_handle->disconnect;
print $cgi->header;
执行脚本时,我在错误日志文件中看到了这个错误,尽管数据库中的条目是完美的。
[Fri Sep 25 06:57:59.276603 2015] [cgi:error] [pid 530749:tid 140571387594496] [client 61.0.172.200:16058] AH01215: [Fri Sep 25 06:57:59 2015] PlaceOrder.pl: CGI::param called in list context from PlaceOrder.pl line 19, this can lead to vulnerabilities. See the warning in "Fetching the value or values of a single named parameter"
第 19 行是:
my $decdata = decode_json($cgi->param('POSTDATA'));
这是什么错误以及如何解决这个问题。任何帮助或评论都将非常有帮助。
嗯,除了指出 CGI 是 non-core because it's no longer deemed good practice and it's worth checking out CGI::Alternatives(我知道这并不总是可能的,因为它需要完全重写):
my $decdata = decode_json(scalar $cgi->param('POSTDATA'));
问题是 - param 方法 detects internally if you're asking for a list of values or a single value. (See: wantarray())。但是因为您将它传递给函数 (decode_json) - 它在列表上下文中。考虑到您的 post,这似乎不太可能是您想要的 - 因此通过 scalar(或只是 "".)强制执行标量上下文将达到目的
我有一个在数据库中添加数据的 perl 脚本
#!/usr/bin/perl
use cPanelUserConfig;
use strict;
use warnings;
use DBI;
use CGI::Carp qw(warningsToBrowser fatalsToBrowser);
use CGI;
use CGI::Cookie;
use CGI::Session qw();
use JSON;
#use MIME::Lite;
my $CFG = do "config.pl";
my $cgi = CGI->new;
my $db_handle = DBI->connect ("DBI:mysql:$CFG->{database}", $CFG->{user}, $CFG->{password} ) or die "Couldn't connect to database: $DBI::errstr\n";
my $decdata = decode_json($cgi->param('POSTDATA'));
my $CustomerID;# = $decdata->{'CustomerID'};
my $DeliverySlot = $decdata->{'DeliverySlot'};
my $PaymentMode = $decdata->{'PaymentMode'};
my $CustomerName = $decdata->{'CustomerName'};
my $Address = $decdata->{'Address'};
my $City = $decdata->{'City'};
my $Mobile = $decdata->{'Mobile'};
my $th = $db_handle->prepare("select customer_id from table_customers where mobile = '$Mobile'");
$th->execute() or die "Couldn't connect to database: $DBI::errstr\n";
my @data = $th->fetchrow_array();
if ($data[0])
{
$CustomerID = $data[0];
}
else
{
my $sql_query = qq{insert into table_customers values (NULL, '$CustomerName', '$Address', '$Mobile', NULL, NULL)};
my $statement = $db_handle->prepare ($sql_query) or die "Couldn't prepare query '$sql_query': $DBI::errstr\n";
$statement->execute() or die "SQL Error: $DBI::errstr\n";
$CustomerID = $statement->{mysql_insertid};
}
my $sql_query = qq{insert into table_orders values (NULL, '$CustomerID', NOW(), '$PaymentMode', CURDATE(), '$DeliverySlot')};
my $statement = $db_handle->prepare ($sql_query) or die "Couldn't prepare query '$sql_query': $DBI::errstr\n";
$statement->execute() or die "SQL Error: $DBI::errstr\n";
my $id = $statement->{mysql_insertid};
my $sql_query = qq{insert into table_order_status values ($id, 1, NOW())};
my $statement = $db_handle->prepare ($sql_query) or die "Couldn't prepare query '$sql_query': $DBI::errstr\n";
$statement->execute() or die "SQL Error: $DBI::errstr\n";
my $aref = $decdata->{'ItemList'};
for my $element (@$aref)
{
my $i_name = $element->{ItemName};
my $i_quantity = $element->{Quantity};
my $i_mrpprice = $element->{MRP};
my $i_sellprice = $element->{SellPrice};
my $sql_query = qq{insert into table_order_details values ('$id', 2, 2, $i_quantity, '$i_mrpprice', '$i_sellprice', '$i_name')};
my $statement = $db_handle->prepare ($sql_query) or die "Couldn't prepare query '$sql_query': $DBI::errstr\n";
$statement->execute() or die "SQL Error: $DBI::errstr\n";
}
$db_handle->disconnect;
print $cgi->header;
执行脚本时,我在错误日志文件中看到了这个错误,尽管数据库中的条目是完美的。
[Fri Sep 25 06:57:59.276603 2015] [cgi:error] [pid 530749:tid 140571387594496] [client 61.0.172.200:16058] AH01215: [Fri Sep 25 06:57:59 2015] PlaceOrder.pl: CGI::param called in list context from PlaceOrder.pl line 19, this can lead to vulnerabilities. See the warning in "Fetching the value or values of a single named parameter"
第 19 行是:
my $decdata = decode_json($cgi->param('POSTDATA'));
这是什么错误以及如何解决这个问题。任何帮助或评论都将非常有帮助。
嗯,除了指出 CGI 是 non-core because it's no longer deemed good practice and it's worth checking out CGI::Alternatives(我知道这并不总是可能的,因为它需要完全重写):
my $decdata = decode_json(scalar $cgi->param('POSTDATA'));
问题是 - param 方法 detects internally if you're asking for a list of values or a single value. (See: wantarray())。但是因为您将它传递给函数 (decode_json) - 它在列表上下文中。考虑到您的 post,这似乎不太可能是您想要的 - 因此通过 scalar(或只是 "".)强制执行标量上下文将达到目的