Beefy Boxes and Bandwidth Generously Provided by pair Networks
XP is just a number
 
PerlMonks  

passing data to other script via link

by kasmot (Novice)
on Jun 08, 2004 at 02:21 UTC ( #362187=perlquestion: print w/replies, xml ) Need Help??

kasmot has asked for the wisdom of the Perl Monks concerning the following question:

Im trying to pass my data from one perl script to another via link : <a href=navigate.pl?$pagectr|$query>$pagectr</a> $query is my search query and I want it to be passed and be used by the other script. But I wasnt able to do so because it only passes the first part of the string and terminates right after the space. heres an example: $query = SELECT * FROM sqrequest WHERE id != 0 ORDER BY date, time .. but when i pass it, only "SELECT" is being captured. Im planning to change all the spaces into any char but I dont know how. Is there a way for me to make it work, or is there a better way of doing this. Any help is deeply appreciated. Thanks in advance

Replies are listed 'Best First'.
Re: passing data to other script via link
by chromatic (Archbishop) on Jun 08, 2004 at 02:56 UTC

    To encode data in a URL, you can call CGI::escapeHTML() directly use URI::Escape.

    However, consider if I edited the link to encode the query DELETE FROM sqrequest WHERE 1 = 1. You might want to reconsider passing raw SQL queries where users can change them.

    Update: What calin says is what I meant, very different from what I wrote.

      To encode data in a URL, you can call CGI::escapeHTML() directly.

      URL escaping is different from HTML escaping. I think the OP needs a module like URI::Escape. Observe the following code:

      $ perl use CGI; use URI::Escape; my $orig = q{a9: _-;&<tag>'"}; printf "HTML escaped: %s\n", CGI->escapeHTML($orig); printf "URL escaped: %s\n", uri_escape($orig); ^D HTML escaped: a9: _-;&amp;&lt;tag&gt;'&quot; URL escaped: a9%3A%20_-%3B%26%3Ctag%3E'%22

      Most mainstream browser can recover from common broken (unescaped) urls - space seem to be the most common. But rfc2396 is clear in this regard:

      2.4.3. Excluded US-ASCII Characters Although they are disallowed within the URI syntax, we include here + a description of those US-ASCII characters that have been excluded an +d the reasons for their exclusion. <SNIP> The space character is excluded because significant spaces may disappear and insignificant spaces may be introduced when URI are transcribed or typeset or subjected to the treatment of word- processing programs. Whitespace is also used to delimit URI in man +y contexts. space = <US-ASCII coded character 20 hexadecimal> <SNIP> Data corresponding to excluded characters must be escaped in order +to be properly represented within a URI.

      Named entities (like those generated by escapeHTML) are simply names for characters and do not represent URL escaping.

      Test HTML snippet:

      <a href="http://google.com/search?q=super search">unescaped space</a> <a href="http://google.com/search?q=super%20search">escaped space</a> <a href="http://google.com/search?q=super&amp;search">entity amp</a> <a href="http://google.com/search?q=super%26search">url-escaped amp</a +>

      Attn. OP: Passing SQL statements this way is a security hole.

      Thanks for the quick reply. I see you points. Is there a way to hide the extra parameters that we are sending through a link?

        You can use hidden fields, but that only hides things; it makes it only a little bit more difficult for a mischief maker to do bad things. A better solution is to encode the database query logic in a module or run state somewhere in the code, where users can't access it and you're not sending it to the client and trusting it to come back safely. CGI::Application is one good approach.

Re: passing data to other script via link
by arthas (Hermit) on Jun 08, 2004 at 08:18 UTC

    Don't pass the SQL queries that way, it's dangerous (as someone else already pointed out).

    I would suggest you call your script with something like this:

    navigate.pl?task=dsp

    And, in your program you can have:

    my $q = new CGI; SWTC: { $q->param('task') eq 'dsp' and do { dsp() last SWTC; }; $q->param('task') eq 'other' and do { other() last SWTC; }; };

    You can then keep all the queries in the subs.

    Hope this helps!

    Michele.

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: perlquestion [id://362187]
Approved by sgifford
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others making s'mores by the fire in the courtyard of the Monastery: (3)
As of 2022-10-06 06:42 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?
    My preferred way to holiday/vacation is:











    Results (26 votes). Check out past polls.

    Notices?