Novice here. Just trying to bind values to eliminate sql injections. I've got the code below but I get this error... called with 1 bind variables when 47 are needed at my.cgi line 803. and output looks like..
$new_row='53616c7465645f5fd8b88f6a16704f8ebc0a2002dfg45633617bbb0446fa', 'test12', 'user', '2012-03-06', 'xcvb', 'xb', 'xcvbb', 'xcvbb', 'UT', 'US', '4566', '4564564566', '', 'vbn', '', '200', 'Monthly', 'eBook', 'WebStore', '9.95', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '2012-03-06', '30-Day-Trial'
$questionmarks=?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?
I've tried it with/without quotes and commas. Any ideas appreciated.
foreach my $field (@account_field_order) {
$new_row .= "'" . param($field) . "', ";
$questionmarks .="?, ";
$new_row .= "'$status'";
$questionmarks .= "? ";
my $dsn = "DBI:mysql:$database";
my $dbh = DBI->connect($dsn, $MYSQLuserid, $MYSQLpassword )
or die $DBI::errstr;
my $sth = $dbh->prepare(qq(INSERT INTO $table VALUES ($questionmarks) ))
or die $DBI::errstr;
$sth->execute(qq($new_row)) or die $DBI::errstr;
First, lets fix the first statements:
These will create an array of values and a single string with all the ?s.
Then in the execute statement:
which will pass in your array of values into the execute line, rather than a single argument like you were doing before.
You're supposed to supply a list of arguments, one for each questionmark, not a single scalar argument that contains the strings of the arguments. When I answered your question before, I told you to do:
is your placeholder string, not your argument list. Not:Because
counts as one argument, since it is a scalar. You need an array or list of the same length as the number of questionmarks.