I'm trying to write a CGI script as part of a web technology programme I am undertaking. There's a challenge with getting form data to concatenate into my SQL strings to populate my database which is in Postgre.

This is my HTML form:

<form action="review_input.cgi" method="post">
  <input type="hidden" id="cdid"  name="cdid" value="1" />
  <label for="review">Rate from 1 to 5:</label>
  <select name="review" class="review">
     <option value="1"selected="selected">1- Don't bother</option>
     <option value="2">2- Borrow from a friend</option>
     <option value="3">3- Worth the money</option>
     <option value="4">4- Wonderful</option>
     <option value="5">5- Instant classic</option>
  </select>
  <label for="comment" >Comment:</label>
  <br />
  <textarea name="comment" wrap="soft"></textarea>
  <input type="submit" value="Submit" class="button" />
</form>

These are relevant snippets from C++ source for review_input.cgi. All required libraries that we have learned to date are loading. If they did not, I would get warnings if not outright compiling errors.

CGI_parameters request;   
    const int cdid  =  atoi(request["cdid"].c_str());
    const int rating = atoi(request["review"].c_str());
    const string comments = request["comment"];

    connection conn ("<blah - blah - blah>");
    nontransaction db (conn);

    ostringstream ipt_sql;
    ipt_sql  << "insert into  ratings "
             << "(cdid, userid, rating, comments) "
             << "values "
             << "(" << cdid <<", " << user_ID <<", " << rating <<", '" << comments << "')";

The source compiles all right but if I load the form with data and submit it, none of it transfers to the variables in the last line of the SQL statement. I receive a database error of a primary key violation for cdid is 0. I modified the program to spit out the concatenated SQL and this is what I receive:

insert into ratings (cdid, userid, rating, comments) values (0, 38, 0, '')

The second attribute of the input, userid=38, comes from a global variable I have set as part of a class. Essentially, the form data can only be processed if userid is greater than 0. That means someone is considered authenticated and logged in. If the user is not logged-in, they are directed to the log-in page.

All those other elements work. In trying to debug things, I also tried to have just the request["cdid"] and request["review"] output to the screen in an ostringstream as strings. The variable data is simply not getting to the variables and I can't see why.

Can anyone find what I am doing wrong?