Process a form in perl and write results to a database

Question

This is my first time programming with both perl and databases, I'm having some issue determining how exactly to write a perl script that will input the results from an html form into a mysql database.

This particular snippet is what is causing me issue:

    # CONFIG VARIABLES
    $platform = "mysql";
    $database = "*****";
    $host = "localhost";
    $port = "3306";
    $user = "*****";
    $pw = "*****";

    # DATA SOURCE NAME
    $dsn = "dbi:$platform:$database:$host:$port";

    # PERL DBI CONNECT
    $connect = DBI->connect($dsn, $user, $pw);

    # PREPARE THE QUERY
    $query = "INSERT INTO result (name, console, character, series, bday, steam) VALUES (fname, favConsole, fCharacter, favSeries, birthday, steamAcc)";
    $query_handle = $connect->prepare($query);

    # EXECUTE THE QUERY
    #$query_handle->execute();

I replaced the database name, username and password with asterisks but the real code has the true values.

I'm not certain why the connect and execute lines are giving me issue.

Also where exactly would I put the prompt so the information is written once the user hits the submit button? I tried adding execute as the form action but that didn't work.

This is my work so far:

    #!/usr/bin/perl

    use CGI qw( :standard );
    use DBI;
    use DBD::mysql;

    # CONFIG VARIABLES
    $platform = "mysql";
    $database = "*****";
    $host = "localhost";
    $port = "3306";
    $user = "*****";
    $pw = "*****";

    # DATA SOURCE NAME
    $dsn = "dbi:$platform:$database:$host:$port";

    # PERL DBI CONNECT
    $connect = DBI->connect($dsn, $user, $pw);

    # PREPARE THE QUERY
    $query = "INSERT INTO result (name, console, character, series, bday, steam) VALUES (fname, favConsole, fCharacter, favSeries, birthday, steamAcc)";
    $query_handle = $connect->prepare($query);

    # EXECUTE THE QUERY
    #$query_handle->execute();

    $dtd =
    "-//W3C//DTD XHTML 1.0 Transitional//EN\"
       \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd";

    print( header() );

    print( start_html( { dtd => $dtd,
      title => "~Video Game Survey~" } 
      #style=>{"background-image:url(/images/blue_line_background.jpg) ";
      #}
      ) );
    #print( " <body style="background-image:url(/images/blue_line_background.jpg)">\n " );


    print( "<body>\n" );
    print(     "<div style = \"font-size: 14pt; font-weight: bold\">\n" );
    print(      "Please let us know a bit more about yourself.\n" );
    print(     "</div>\n" );
    print( "</body>\n" );

    print( "<br />\n " );

    #Start of the form.
    print( "<form method = \"post\" > \n" );

    #First question, asking the visitor's name.  Name will be stored in the database         but not displayed on the
    #survey results.
    print( "<p>\n" );
    print(      "First of all, what is your name?\n" );
    print(      "<input type = \"text\" name = \"fname\" placeholder = \"John Doe\" required />\n" );
    print( "</p>\n" );

    print( "<br /><br />\n" );

    #Second question, type dropdown list.
    print( "<img src = \"/images/favConsole.png\" />\n");
    print( "<p>\n" );
    print(      "Gaming comes in all sorts of shapes and sizes.  What is your favorite console?\n" );
    print( "</p>\n" );
    print( "<dd>\n" );
    print(      "<input type = \"text\" name = \"favConsole\" placeholder = \"Select a console\"
                   list = \"consoles\" required/>\n" );
    print(              "<datalist id = \"consoles\">\n" );
    print(                  "<option value= \"PC\">\n" );
    print(                  "<option value= \"Playstation 3\">\n" );
    print(                  "<option value= \"Xbox 360\">\n" );
    print(                  "<option value= \"Wii\">\n" );
    print(              "</datalist>\n" );
    print( "</dd>\n");

    print( "<br /><br />\n" );

    #Third question, type radio.  Default value: Mario
    print( "<img src = \"/images/favCharacter.png\" />\n" );
    print( "<p>\n" );
    print(      "Out of the following list, who is your favorite video game character?\n" );
    print( "</p>\n" );
    print(      "<dd><input name = \"fCharacter\" type = \"radio\" value = \"Mario\" checked><label>Mario</label></dd>\n" ); 
    print(      "<dd><input name = \"fCharacter\" type = \"radio\" value = \"Sephiroth\" ><label>Sephiroth</label></dd>\n" );
    print(      "<dd><input name = \"fCharacter\" type = \"radio\" value = \"Sonic\" ><label>Sonic</label></dd>\n" );
    print(      "<dd><input name = \"fCharacter\" type = \"radio\" value = \"Thrall\" ><label>Thrall</label></dd>\n" );
    print(      "<dd><input name = \"fCharacter\" type = \"radio\" value = \"Pacman\" ><label>Pacman</label></dd>\n" );
    print(      "<dd><input name = \"fCharacter\" type = \"radio\" value = \"Cloud\" ><label>Cloud</label></dd>\n" );
    print(      "<dd><input name = \"fCharacter\" type = \"radio\" value = \"Sylvanas\" ><label>Sylvanas</label></dd>\n ");
    print(      "<dd><input name = \"fCharacter\" type = \"radio\" value = \"Kerrigan\" ><label>Kerrigan</label></dd>\n ");
    print( "</dd>\n" );

    print( "<br /><br />\n" );

    #Fourth question, type dropdown.  Required.
    #Dropdown options will not appear unless the window is maximized in terms of height.
    print( "<img src = \"/images/favSeries.png\" />\n" );
    print( "<p>\n" );
    print(      "Which of the following series is your favorite?\n" );
    print( "</p>\n" );
    print(      "<input type = \"text\" name = \"favSeries\" placeholder = \"Select a series\"
                   list = \"series\" required/>\n" );
    print(              "<datalist id = \"series\">\n" );
    print(                  "<option value= \"Legend of Zelda\">\n" );
    print(                  "<option value= \"Halo\">\n" );
    print(                  "<option value= \"Bioshock\">\n" );
    print(                  "<option value= \"Resident Evil\">\n" );
    print(                  "<option value= \"Mario Party\">\n" );
    print(                  "<option value= \"Angry Birds\">\n" );
    print(                  "<option value= \"The Sims\">\n" );
    print(                  "<option value= \"Mass Effect\">\n" );
    print(                  "<option value= \"Half-Life\">\n" );
    print(                  "<option value= \"Warcraft\">\n" );
    print(                  "<option value= \"Starcraft\">\n" );
    print(                  "<option value= \"Borderlands\">\n" );
    print(              "</datalist>\n" );

    print( "<br /><br />\n" );

    #Fifth question, type date.  No default value, but still required.
    print( "<img src = \"/images/bday.png\" />\n" );
    print( "<p>\n" );
    print(      "What is your cake day?\n" );
    print( "</p>\n" );
    print(      "<input type = \"date\" name = \"birthday\" required />(yyyy-mm-dd)\n" );

    print( "<br /><br />\n" );

    #Sixth question, type radio.  Default value: no.
    print( "<p>\n" );
    print(      "Last but not least, do you have a Steam account?\n" );
    print(      "<input name = \"steamAcc\" type = \"radio\" value = \"Y\" >        <label>Yes</label>\n" );
    print(      "<input name = \"steamAcc\" type = \"radio\" value = \"N\" checked>        <label>No</label>\n" );
    print( "</p>\n" );

    print( "<p>\n" );
    print(      "<input type = \"submit\" value = \"Submit\" />\n" );
    print(      "<input type = \"reset\" value = \"Clear\" /></p>\n" );
    print( "</p>\n" );

    #End of the form
    print( "</form>\n" );

    print( end_html() );

Answer 1

A few things to start off with:

1. Add these lines to the top of your script for safety in your code.

   use strict;
   use warnings;
   

2. The above step means you will need to declare ALL of your variables with my, e.g.

   my $dsn = ...
   

3. Tell DBI to throw an error if anything is wrong with the connection or execution (it doesn't do this by default). From the error messages you can get some more clues to figure out what is happening.

   my $dbh = DBI->connect($dsn, $user, $pw, {RaiseError => 1});
   

4. Use placeholders for your SQL (which prevents SQL injection, and also adds quotes your insert values in the SQL automatically)

   my $query = 'insert into (name, console) values (?, ?)';
   my $sth = $connect->prepare($query);
   $sth->execute('fname', 'favConsole');
   # this is equivalent to:
   # "insert into (name, console) values ('fname', 'favConsole')"
   

5. Your values need to be pulled from the CGI params (which I'm guessing you're not up to that stage just yet).

Answer 2

$query_handle = $connect->prepare($query)

should be

$query_handle = $dbh->prepare($query)

$something is the name of a variable. You don't have a variable called $connect, so that clearly can't be right. That line takes the database connection and the query string, and returns a query handle, an object which contains all the info necessary to run the query with.