http://qs1969.pair.com?node_id=25383

Mork29 has asked for the wisdom of the Perl Monks concerning the following question:

On my website, will be a place for people to create accounts. It will ask a variety of information, including a username. How do i get it to save all the information in a new file, with there username as the file name. ie.. if their username is "User" then make the file user.txt or user.dat or something to that effect...

Replies are listed 'Best First'.
Re: File Naming
by jlp (Friar) on Aug 01, 2000 at 05:39 UTC
    This should do the job:
    my $user = "User"; open(USER, ">$user.txt") || die "Can't create user file $user.txt: $!" +; print USER "foo";#user data goes here

    This assumes you have the proper write permissions on your server of course.

      Keep in mind that you may not want to store a "plain" password in that file. If you are going to have passwords in the file you may want to use the crypt function to encrypt the password before storing it in the file. You won't be able to decrypt it, but you'll be able to encrypt it after they enter their password and check it against the version in the text file.

      - p u n k k i d
      "Reality is merely an illusion, albeit a very persistent one." -Albert Einstein

Re: File Naming
by fundflow (Chaplain) on Aug 01, 2000 at 06:47 UTC
    If you want your web-site to stay up for more than a day,
    don't forget to check the given user name to exclude users like
    "/etc/passwd" etc.


    HTH
Re: File Naming
by young perlhopper (Scribe) on Aug 01, 2000 at 07:50 UTC
    The key here is to never ever ever EVER trust user input. When you are programming CGI of any type you must look at every piece of input and say "what's the worst possible thing that a user could enter into this field, and how would I deal with it?"

    In short, Program defensively.

    Mark

Re: File Naming
by Mork29 (Scribe) on Aug 01, 2000 at 09:03 UTC
    Ok, my follow up question, how do i exclude only a single character from the username or password or any other fields. ie... don't let them put a / in the username?
      sub secure_query { $_ = shift; s/\-+(.*)/$1/g; s/(.*)[ \t]+\-(.*)/$1$2/g; tr/\$\'\`\"\<\>\/\;\!\|/_/; return($_); }#End secure_query
        This is probably a little simpler and a lot safer:
        $had_bad_characters = $user =~ s/\W//g; # Safer still (since what's defined as a 'word character' could change + based on locale/Unicode (?)) $user =~ s/[^a-zA-Z_-]//g; # Explicitely define what we want to ACCE +PT as valid
        Generally the secure approach involves defining what is acceptable and disallowing everything else, not trying to filter out what we know/anticipate to be bad, because stuff frequently slips through.
Re: File Naming
by Mork29 (Scribe) on Aug 01, 2000 at 07:05 UTC
    <writes the word newbie on his forhead> Explain why? Some type of exploit for "hackers" ??
      If you pass a string from a user directly to open, the person can run arbitray commands. The username ';rm nameofcgi.cgi;' for example will delete nameofcgi.cgi (on some platforms, anyways). Even if you prefix the filename with a directory, someone could use ../ to write to the directory of their choice, someone could use a \0 to prevent any appended string from being used in the filename (since the underlying C library will take the \0 to be end of string). In other words, you need to verify that the data the user has given you does not contain anything it shouldn't. You can use the -T switch (#!/usr/bin/perl -T) which will enable taint checking which will cause perl to stop when it encounters a potentially unsafe operation.