Home > Archive > PERL Miscellaneous > September 2004 > RE: (was: decode the form information)
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
RE: (was: decode the form information)
|
|
|
| and what do you think about this?
code:
sub get_form_data {
my $temp;
my $buffer;
my @data;
read(STDIN, $buffer, $ENV{'CONTENT_LENGTH'});
foreach $temp (split(/&|=/,$buffer)) {
$temp =~ tr/+/ /;
$temp =~ s/%([0-9a-fA-F]{2})/pack("c",hex($1))/ge;
$temp =~ s/[\r\n]/ /g;
push @data, $temp;
}
foreach $temp (split(/&|=/,$ENV{'QUERY_STRING'})) {
$temp =~ tr/+/ /;
$temp =~ s/%([0-9a-fA-F]{2})/pack("c",hex($1))/ge;
$temp =~ s/[\r\n]/ /g;
push @data, $temp;
}
return @data;
}
local %form = &get_form_data;
print $form{'something');
is it enough reliable? It sounds good to me!!!
| |
| Mark Clements 2004-09-27, 4:01 pm |
| Larry wrote:
> and what do you think about this?
>
> [code]
>
> sub get_form_data {
<snip>
> is it enough reliable? It sounds good to me!!!
You've been advised to use the CGI module. If you intend to produce
production code, then there isn't really an excuse not to use it. If you
don't then you are going to cause yourself all sorts of problems. I
doubt if anyone is going to be willing to step through your attempt at
cgi parameter parsing and comment on it....
Mark
| |
|
| sub get_form_data {
my ($buffer,@pairs,$pair,$name,$value);
if ($ENV{'REQUEST_METHOD'} eq 'POST') {
read(STDIN, $buffer, $ENV{'CONTENT_LENGTH'});
@pairs = split(/&/, $buffer);
}
elsif ($ENV{'REQUEST_METHOD'} eq 'GET') {
$buffer = $ENV{'QUERY_STRING'};
@pairs = split(/&/, $buffer);
}
else { die "Errore... metodo non consentito\n"; }
foreach $pair (@pairs) {
($name, $value) = split(/=/, $pair);
$value =~ tr/+/ /;
$value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;
$FORM{$name} = $value;
}
}
this sounds even better!!!!!!!!!
| |
| Gunnar Hjalmarsson 2004-09-27, 4:01 pm |
| Larry wrote:
> and what do you think about this?
>
> code:
>
> sub get_form_data {
> my $temp;
> my $buffer;
> my @data;
> read(STDIN, $buffer, $ENV{'CONTENT_LENGTH'});
> foreach $temp (split(/&|=/,$buffer)) {
> $temp =~ tr/+/ /;
> $temp =~ s/%([0-9a-fA-F]{2})/pack("c",hex($1))/ge;
> $temp =~ s/[\r\n]/ /g;
> push @data, $temp;
> }
> foreach $temp (split(/&|=/,$ENV{'QUERY_STRING'})) {
> $temp =~ tr/+/ /;
> $temp =~ s/%([0-9a-fA-F]{2})/pack("c",hex($1))/ge;
> $temp =~ s/[\r\n]/ /g;
> push @data, $temp;
> }
> return @data;
> }
>
> local %form = &get_form_data;
>
> print $form{'something');
>
>
>
> is it enough reliable? It sounds good to me!!!
As a general purpose function for parsing CGI form data? No.
The very fact that you feel a need to ask shows that you don't know
enough about CGI to write such a function. It's good that you want to
learn, but asking open CGI questions in this group is the wrong way.
Studying the CGI spec and the source of Perl modules for the purpose
are two good ways.
You really should stick with CGI.pm or any of the alternative modules
available such as CGI::Lite or CGI::Minimal, at least for the time being.
--
Gunnar Hjalmarsson
Email: http://www.gunnar.cc/cgi-bin/contact.pl
| |
| Rhesa Rozendaal 2004-09-27, 4:01 pm |
| Larry wrote:
> sub get_form_data {
>
> my ($buffer,@pairs,$pair,$name,$value);
>
> if ($ENV{'REQUEST_METHOD'} eq 'POST') {
> read(STDIN, $buffer, $ENV{'CONTENT_LENGTH'});
> @pairs = split(/&/, $buffer);
> }
> elsif ($ENV{'REQUEST_METHOD'} eq 'GET') {
> $buffer = $ENV{'QUERY_STRING'};
> @pairs = split(/&/, $buffer);
> }
> else { die "Errore... metodo non consentito\n"; }
>
> foreach $pair (@pairs) {
> ($name, $value) = split(/=/, $pair);
> $value =~ tr/+/ /;
> $value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;
> $FORM{$name} = $value;
> }
>
> }
>
> this sounds even better!!!!!!!!!
Very nice, but what if I'm going to submit a form that has a group of
checkboxes (each one with the same name), and I select more than one?
The GET Url would look like:
/script.pl?cb=1;cb=2
Ouch!
First of all, ";" is also a valid option separator. Secondly, you loose the
first cb value.
Use CGI.pm.
| |
| Tore Aursand 2004-09-27, 4:01 pm |
| On Mon, 27 Sep 2004 14:26:56 +0000, Larry wrote:
> and what do you think about this?
Horrible. It will break. Eventually.
> code:
>
> sub get_form_data {
> my $temp;
> my $buffer;
> my @data;
> read(STDIN, $buffer, $ENV{'CONTENT_LENGTH'});
> foreach $temp (split(/&|=/,$buffer)) {
> $temp =~ tr/+/ /;
> $temp =~ s/%([0-9a-fA-F]{2})/pack("c",hex($1))/ge;
> $temp =~ s/[\r\n]/ /g;
> push @data, $temp;
> }
> foreach $temp (split(/&|=/,$ENV{'QUERY_STRING'})) {
> $temp =~ tr/+/ /;
> $temp =~ s/%([0-9a-fA-F]{2})/pack("c",hex($1))/ge;
> $temp =~ s/[\r\n]/ /g;
> push @data, $temp;
> }
> return @data;
> }
>
> local %form = &get_form_data;
>
> print $form{'something');
>
>
>
> is it enough reliable?
No.
> It sounds good to me!!!
It doesn't matter how it sounds, as long as it doesn't work. The code
above is better written as:
my $CGI = CGI->new();
print $CGI->param('something');
So. Use the CGI module. It's a reason why everyone else uses it.
--
Tore Aursand <tore@aursand.no>
"War is too serious a matter to entrust to military men." (Georges
Clemenceau)
| |
|
| In article <2rqskvF1ckhvvU1@uni-berlin.de>,
Gunnar Hjalmarsson <noreply@gunnar.cc> wrote:
>
> As a general purpose function for parsing CGI form data? No.
>
> The very fact that you feel a need to ask shows that you don't know
> enough about CGI to write such a function. It's good that you want to
> learn, but asking open CGI questions in this group is the wrong way.
> Studying the CGI spec and the source of Perl modules for the purpose
> are two good ways.
>
> You really should stick with CGI.pm or any of the alternative modules
> available such as CGI::Lite or CGI::Minimal, at least for the time being.
>
ok ok...i will
| |
| Joe Smith 2004-09-28, 3:59 am |
| Larry wrote:
> and what do you think about this?
> read(STDIN, $buffer, $ENV{'CONTENT_LENGTH'});
I think that anyone can crash your server with hardly any effort.
Have you considered what will happen if CONTENT_LENGTH is 4294967297 ?
-Joe
| |
| Malcolm Dew-Jones 2004-09-28, 4:11 pm |
| Joe Smith (Joe.Smith@inwap.com) wrote:
: Larry wrote:
: > and what do you think about this?
: > read(STDIN, $buffer, $ENV{'CONTENT_LENGTH'});
: I think that anyone can crash your server with hardly any effort.
: Have you considered what will happen if CONTENT_LENGTH is 4294967297 ?
: -Joe
The same thing that will happen if you use CGI; with the default settings.
(and as far as I've noticed, virtually all scripts and examples use cgi.pm
with the default settings.)
| |
| Gunnar Hjalmarsson 2004-09-28, 4:11 pm |
| Malcolm Dew-Jones wrote:
> Joe Smith (Joe.Smith@inwap.com) wrote:
>
> The same thing that will happen if you use CGI; with the default
> settings.
>
> (and as far as I've noticed, virtually all scripts and examples use
> cgi.pm with the default settings.)
Very true.
When will the myth in this group, that using CGI.pm makes a big
difference with respect to security, be put to death? Writing secure
CGI scripts requires knowledge about the potential risks and efforts
to address those risks. Whether CGI.pm is used for parsing data or not
has (almost) nothing to do with it.
--
Gunnar Hjalmarsson
Email: http://www.gunnar.cc/cgi-bin/contact.pl
|
|
|
|
|