in reply to db2html

This could definitely be useful. There are two things I would change though:
  1. The script assumes the input filename only has one dot. If the input file is named "my.first.flat.file.db," the output filename is going to be "my.html." This is not a good thing.
  2. The script doesn't escape characters like &, <, >, etc. This means you have to worry about whether the database contains HTML tags and even JavaScript. What if one of the rows contained something like this: <script language='JavaScript'>window.open ('http://www.hax0rsit3.bogus') ;</script>|column 2|column 3Bam! Instant security hole.

Of course, you can always turn off JavaScript, and maybe you never intended to use the script on untrusted data, but IMO, it's never too early to think about security. Plus, as it stands the script doesn't handle ampersands and angle brackets properly. Why not just write the data to stdout (avoiding the filename issue) and use CGI.pm to format/escape the HTML? 

#!/usr/bin/perl -w

use strict ;
use CGI qw (:standard *table) ;

die "Usage: $0 <input-filename-list>\n" unless @ARGV ;

binmode STDOUT, ':crlf' ;
print start_html (-title => join ('; ', @ARGV)), start_table, "\n" ;
while (<>) {
  tr/\r\n//d ;
  my @cols = map {escapeHTML ($_)} split '\|' ;
  print TR (td ([@cols])), "\n" ;
}
print end_table, end_html ;

[download]

I admit the output doesn't look as pretty as your nice hand-formatted output though.

Replies are listed 'Best First'.
Re: Re: db2html
by straywalrus (Friar) on Oct 30, 2001 at 05:41 UTC
    blackmateria, thank you for your input, I will try these things for this little project of mine. Don't worry about my 'pretty formatting', if my has nice formatting, but has some 'nice' security holes, what good is it? Thanx for pointing that out also because I did not even think of that, that's why the community is good
[reply]

In Section Cool Uses for Perl