Re^2: CGI-Upload / Bad File Number

i don't really understand how uploading-process works.

If you using CGI, see CGI, in particular the section on Older ways to process uploads

The original way to process file uploads with CGI.pm was to use param(). The value it returns has a dual nature as both a file name and a lightweight filehandle.

You should find your working script will fail if you force $file into scalar by adding the line

if($file=~/[\w _\.\-\(\)\+]+\.jpg/i) {
  $file = ''.$file;
[download]

Does $src have some added processing that $file doesn't. ?

poj

Comment on Re^2: CGI-Upload / Bad File Number Select or Download Code

Replies are listed 'Best First'.
Re^3: CGI-Upload / Bad File Number by frnk (Novice) on Jul 16, 2016 at 18:42 UTC
This is how i read the CGI-data: `$query = new CGI; @names = $query->param; foreach (@names) { $val = $query->param($_); eval("\$$_ += '$val';"); }` [download] There is one value called '$file1' containing the source-file. The upload-function is called this way: `if ($FNC eq "Hochladen") { if ($file1 ne "") { Upload("$DIR$FIL +E/_file1", $file1); } }` [download] ...where '$file1' is named '$src' in the function and "$DIR$FILE/_file1" is the destination filename without extension, which is taken from the source filename. There is no other apperence of '$file1' or '$src' in my code.	[reply] [d/l] [select]
Re^4: CGI-Upload / Bad File Number by poj (Abbot) on Jul 16, 2016 at 19:53 UTC
I would remove the `eval` , like this `my $query = new CGI; my $file1 = $query->param('file1'); if ($query->param('FNC') eq "Hochladen") { if ($file1 ne "") { Upload("$DIR$FILE/_file1", $file1); } }` [download] If would help to see the complete cgi script as I suspect some other improvements could be suggested. poj	[reply] [d/l] [select]
Re^5: CGI-Upload / Bad File Number by frnk (Novice) on Jul 17, 2016 at 05:40 UTC
You got it!! - Thanks a lot! ...obviously sometimes i have to read more about how upload works. I always wondered in a small part of my head about how the filename-string can specifie the hole upload-connection, but if this filename-string is not a 'pure' string containing a handle in the background, this point gets clearer... Regards, Frank	[reply]
Re^4: CGI-Upload / Bad File Number by Anonymous Monk on Jul 17, 2016 at 01:55 UTC
This is security hole, anybody running your cgi can run any perl program they write `eval("\$$_ = '$val';"); }` $cgi->param already gives you access to params by name, there is no need for eval If you want something other than $cgi use a hash, see CGI->VarsAsHash	[reply] [d/l]
Re^5: CGI-Upload / Bad File Number by frnk (Novice) on Jul 17, 2016 at 05:59 UTC
Concerning upload: works now - poj found the point: also the eval... Concerning security: Not so relevant in this case. It's a private site with previous login. But anyway i want to know mor about this: In between i've inserted `$val =~ s/'/\\'/gms;` before the eval-satement - not for security but to protect the '-character - maybe this is relevant... I'm not sure how this might be used to run code. Can you give me an example?? I looked at 'CGI->VarsAsHash' but i dont really understand it. Especially the '\%hash' in the return-statement: what does the backslash do?? Also: is there returned a hash or single strings?? Thanks, Frank	[reply] [d/l]
Re^6: CGI-Upload / Bad File Number by Anonymous Monk on Jul 17, 2016 at 08:26 UTC
Re^7: CGI-Upload / Bad File Number by frnk (Novice) on Jul 17, 2016 at 12:29 UTC
Some notes below your chosen depth have not been shown here