Want to compare CGI input with data from a MySQL table

Hello,
I have this program:
#! /usr/bin/perl

use DBI ;
use strict ;


use CGI ;
my ($cgi) = new CGI ;


my (@param) = $cgi->param("firstname","lastname","type") ;

my ($dsn)="DBI:mysql:dr:localhost";
my ($user_name) = "fubar" ;
my ($password) = "secret" ;
my ($dbh,$sth) ;
my (@ary) ;


$dbh = DBI->connect ($dsn, $user_name, $password, { RaiseError => 1 });

$sth=$dbh->prepare ("SELECT firstname,lastname,type FROM dts WHERE firstname LIKE $param[0] AND lastname LIKE $param[1] and type LIKE $param[2]" );

$sth->execute ();


and I get this error simply running the program from the command line:

DBD::mysql::st execute failed: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1 at ./submit.cgi line 24.



My question is: is this the right syntax to use, both, for this line:

my (@param) = $cgi->param("firstname","lastname","type") ;


as well as this one:

$sth=$dbh->prepare ("SELECT firstname,lastname,type FROM dts WHERE firstname LIKE $param[0] AND lastname LIKE $param[1] and type LIKE $param[2]" );

or should there be quotes around the $param[0] or something? (also is it $param[0] or $param(0)?)



Thanks.

Yes. Since you are using perl variables you are effectively using literals in the query. Thus they have to be in quotes so MySQL does not try to use them as column names or key words.