Re: Escaping %params

As mentioned in the CB $cgi->Vars may cause problems - a safer way to build the params hash is:

my %params = map { $_ => $cgi->param($_) } $cgi->param;
[download]

And beware of params that have more than one value, e.g. checkbox groups

Update: to allow for params with multiple values:

my %params;
for my $name ($cgi->param) {
    my @values = $cgi->param($name);
    $params{$name} = @values > 1 ? \@values : $values[0];
}
[download]

When further processing %params you will need to check if $param{$name} is an array reference.

Comment on Re: Escaping %params Select or Download Code

Replies are listed 'Best First'.
Re^2: Escaping %params by DaisyLou (Sexton) on Jan 21, 2014 at 01:37 UTC
Thank you... Interestingly, when I use this code: `use warnings; use strict; use CGI; use Data::Dumper; print "Content-type: text/html\n\n"; my $cgi = CGI->new(); my %params = map { $_ => $cgi->param($_) \|\| '' } $cgi->param; print Dumper \%params;` [download] The output is when I pass test.pl?a=\'b is: `$VAR1 = { 'a' => '\\\'b' };` [download] ... so it looks like something in the stack is already taking care of the escaping for me. Am I worrying about nothing?	[reply] [d/l] [select]
Re^3: Escaping %params by tangent (Parson) on Jan 21, 2014 at 01:48 UTC
Data::Dumper is doing that - try this: `for my $param (keys %params) { print "$param: $params{$param}<br>" }` [download]	[reply] [d/l]
Re^3: Escaping %params (perl-escaping / html-escaping by Anonymous Monk on Jan 21, 2014 at 02:46 UTC
Data::Dumper does perl-escaping (defaults have some caveats) Data::Dump::pp() does better perl-escaping by default Neither ddumper does HTML-escaping You can alway do `my $cgi = CGI->new; print $cgi->header, $cgi->Dump ;` to see whats inside $query	[reply] [d/l]
Re^3: Escaping %params by AnomalousMonk (Archbishop) on Jan 21, 2014 at 23:27 UTC
`s/_/\_/g` `s/_/\_/g` does nothing. You probably want `s/_/\\_/g` `>perl -wMstrict -le "$_ = 'a_b__c___'; print qq{before: '$_'}; ;; s/_/\_/g; print qq{after: '$_'}; " before: 'a_b__c___' after: 'a_b__c___'` [download] But please allow me to add my voice to the chorus imploring you to Just Use Placeholders!.	[reply] [d/l] [select]
Re^2: Escaping %params by DaisyLou (Sexton) on Jan 21, 2014 at 15:16 UTC
I've distilled all this advice this as best I can. ============ something.lib ============ sub safer { my $hash = shift; my %safer; while (my ($k, $v) = each %$hash) { s/\\//g for $k, $v; s/0x00//g for $k, $v; s/0x08//g for $k, $v; s/0x09//g for $k, $v; s/0x0a/\n/g for $k, $v; s/0x0d/\r/g for $k, $v; s/"/\\"/g for $k, $v; s/%/\\%/g for $k, $v; s/'/\\'/g for $k, $v; s/_/\_/g for $k, $v; $safer{$k} = $v; } return %safer; } ================ something.cgi... ================ use warnings; use strict; use CGI; use CGI::Carp; print "Content-type: text/html\n\n"; # marker my $cgi = CGI->new(); $cgi->param; my %params; for my $name ($cgi->param) { my @values = $cgi->param($name); $params{$name} = @values > 1 ? \@values : $values[0]; } %params=safer(\%params); # marker for my $param (keys %params) { print "$param: $params{$param}<br>" } [download] The stuff between the two markers will replace the existing `sub main { my $cgi = CGI->new(); my %params = $cgi->Vars();` [download] ... in the existing scripts. This is running under mod-perl (w/ regcooker). Are there any "gotchas" I should be aware of here? Thanks to all you monks for all your help!	[reply] [d/l] [select]
Re^3: Escaping %params by Anonymous Monk on Jan 21, 2014 at 21:38 UTC
A problem is with CGI->Vars , you never want to use CGI->Vars, CGI->Vars is for perl4, Vars mangles (encodes, serializes, packs, implodes) the data, its backwards compatibility for some 1993 stuff You want "escapeHTML" from CGI.pm	[reply]