[Dancer-users] Template run time error.

David Precious davidp at preshweb.co.uk
Sat Jan 15 02:37:48 CET 2011


On Fri, 2011-01-14 at 16:42 -0800, Carlos Ivan Sosa wrote:

> Hello I just started using Dancer, and I find it quite useful for
> mid-size webpages.
> I'm playing with it, but while trying out something like the blog
> engine in Perl Dancer Advent Calendar, I came to a problem of my own.
> I'm using damog's Dancer::Template::Haml wich is a wrapper for
> Text::Haml
> 
> I will post my app.pm:
> 
> ---------------------------------------------------------------------------------------------------------------------------------------
> 
> package log;
> use Dancer ':syntax';
> use DBI;
> 
> our $VERSION = '0.1';
> 
> my $database = "lib/database.db";
> 
> sub connect_db {
>     my $dbh = DBI->connect("dbi:SQLite:dbname=".$database) or
>     die $DBI::errstr;
> 
>     return $dbh;
> }

You might want to consider using Dancer::Plugin::Database to handle
database connections for you.

> 
> sub exec_sql {
>     my $db = connect_db();
>     my $sql = "select id, url, title, text from entries where url
> ='".$_[0]."'";
>     my $sth = $db->prepare($sql) or die $db->errstr;
>    $sth->execute or die $sth->errstr;

Dear God no!  SQL injection vulnerabilities are not fun; use
placeholders, never interpolate into an SQL query unless you have a very
good reason to do so, and have taken measures to ensure the data is
safe.

For instance,

  my $sth = $db->prepare(
      "select id, url, title, text from entries where url = ?"
  ) or die $db->errstr;
  $sth->execute($url);


>     $sth->execute or die $sth->errstr;
>     return $sth->fetchrow_hashref();
>     $sth->finish();
> }

Note that you're returning before calling $sth->finish, so that won't
actually get called :)

[...]

> The everything works correctly when you go to the root directory,
> everything
> is output as expected. But
> as soon as you go to http://localhost:3000/hola, the output is a run
> time
> error with a 404 Error.

Odd, it looks like it should work.


> get '/:entr', sub {
>     my $entry = params->{entr};
>     my $field = exec_sql($entry);
>     template 'entries' => {
>        title => $field->{title},
>        text => $field->{text},
>     };
> };

The first thing to check is that views/entries.tt exists; I believe
calling template() with a non-existent template name will raise a 404.

If that's all fine, then what happens if you replace the '/:entr' route
with something that doesn't use the template at all, for instance:

  get '/:entr' => sub {
      "OK, looking for " . params->{entr};
  };

I've tested that here, and it works as expected; it would be useful to
check that it works for you too, so we know the problem must be to do
with the template usage.

Cheers

Dave P

-- 
David Precious <davidp at preshweb.co.uk> ("bigpresh")
http://www.preshweb.co.uk/




More information about the Dancer-users mailing list