(Ovid) Re: cgi_handlers.pl

Assuming that we're referring to the same code, you do not want to to use cgi_handlers.pl. Here's the relevant code section (comments removed):

sub get_request {
    if ($ENV{'REQUEST_METHOD'} eq "POST") {
    read(STDIN, $request, $ENV{'CONTENT_LENGTH'});
    } elsif ($ENV{'REQUEST_METHOD'} eq "GET" ) {
    $request = $ENV{'QUERY_STRING'};
    }

    %rqpairs = &url_decode(split(/[&=]/, $request));
}

sub url_decode {
    foreach (@_) {
    tr/+/ /;
    s/%(..)/pack("c",hex($1))/ge;
    }
    @_;
}
[download]

This code has virtually all of the bugs one is likely to find in most hand-rolled code, plus some extras.

Since it doesn't use strict or have a package declaration, it's going to overwrite any global %rqpairs or $request variables you have in the namespace of the package that requires this code (unlikely, but it's possible).
This doesn't allow for multiple values in a query string (color=red&color=blue is perfectly legal).
What happens if your $ENV{CONTENT_LENGTH} doesn't match the length of data read from STDIN: you get corrupted data, but you'll never know it.
Newer clients are supposed to separate name/value pairs with semi-colons instead of ampersands. This will break cgi_handlers.pl.

There are a variety of other issues with this code, but this is a good start. See use CGI or die; for more information.

Cheers,
Ovid

Join the Perlmonks Setiathome Group or just click on the the link and check out our stats.

Comment on (Ovid) Re: cgi_handlers.pl Download Code

Replies are listed 'Best First'.
Re: (Ovid) Re: cgi_handlers.pl by Ven'Tatsu (Deacon) on Nov 06, 2001 at 03:46 UTC
One more bug: It is perfectly valid (although I think it should be avoided) to pass information in the query string of a POST request.	[reply]
(Ovid) Re(3): cgi_handlers.pl by Ovid (Cardinal) on Nov 06, 2001 at 04:16 UTC
Nice catch. Yes, I think that qualifies as a bug but I didn't list it as there is a workaround: set `$ENV{'REQUEST_METHOD'}` to 'GET' and call `get_request()` again (after previously saving the contents of `%rqpairs`). This is a typical workaround for most faulty implementations, but it bugs me that most cgi handlers miss this. Cheers, Ovid Join the Perlmonks Setiathome Group or just click on the the link and check out our stats.	[reply]