More with HTML:Template

Anonymous Monk has asked for the wisdom of the Perl Monks concerning the following question:

I try and I try. But I just can't get this damn program to work. I have all of the correct code. My server just won't run it. In the TMPL, all of the tags are written correctly and they are in the right spots. Could someone help me with this one?

#!/usr/bin/perl

#Loads the CGI Module
use CGI;
use HTML::Template;

# creates a new CGI object
my $page = new CGI;

$Create a new HTML:Template object
my $Temp = new HTML::Template;

# This will print a standard HTML header
print $page->header;

# Grab a named CGI parameter
my $value = $page->param("video");
#Open up the file that contains the review of the video

open(SEE, "../$value") or die "The File could not be opened.";

###The Shtick for the name in the Title Bar

#Split it up into individual words and
#put it into an array

my @tokens = split(/[\/_\.]/, $value);

#splice the first three elements from the array

splice(@tokens, 0, 3);

#Pop the end of the list off

pop(@tokens);

#Then put the remaining things together

$Title = join(' ', @tokens);

#Save the file to an array


@video_info = <SEE>;


#Now print out lots of HyperText Mark-up Language using
# HTML::Template
my $template = $Temp->new(filename => '../Template/my.tmpl');
$template->param(text => "@video_info");
$template->param(Title => "$Title");
print $template->output;
exit;
[download]

Comment on More with HTML:Template Download Code

Replies are listed 'Best First'.
Re: More with HTML:Template by wog (Curate) on Nov 23, 2001 at 08:36 UTC
Before actually getting to your problem, I forewarn you that, if your script was made to compile, you would have a major security flaw: For example, the video param could contain something like `; rm -rf / \|`, resulting in your script running the rather dangerous command `rm -rf /`. I strongly suggest turning on taint checking and carefully untainting all your inputs to avoid this type of problem. If you had taken the time to check the error logs, or run your script thourgh `perl -c` (to check if it compiles), then you would have gotten a message starting like: `Bareword found where operator expected at - line 10, near "$Create a"` This error is a result of perl being confused since you typed `$` where you probably meant `#`. As a sidenote, I would reccommend you run your script with strict and warnings, which is likely to save you time in the future. update: s/compiled/was made to compile/	[reply] [d/l] [select]
Re: More with HTML:Template by mce (Curate) on Nov 23, 2001 at 14:12 UTC
Hi there, Why do you declare the Template object twice with new? I stripped down your code to give you an example: `#!/usr/bin/perl #Loads the CGI Module use strict; use CGI; use HTML::Template; # creates a new CGI object my $page = new CGI; # Create a new HTML:Template object my $template = HTML::Template->new(filename => '..\Template\my.tmpl'); # This will print a standard HTML header print $page->header; # Grab a named CGI parameter my $value = $page->param("video"); #Now print out lots of HyperText Mark-up Language using # HTML::Template $template->param(text => $value); print $template->output; exit;` [download] This code works fine for me when I make my template like `<HTML> <TMPL_VAR NAME=text> </HTML>` [download] And, as is correctly stated before, please open the file like: `open(SEE, "< ../$value") or die "The File could not be opened.";` [download] I hope this will send you in the correct direction. --------------------------- Dr. Mark Ceulemans Senior Consultant IT Masters, Belgium update by mce: I see also that you give an array as a param, this can only be used in TMPL_LOOP situations when the array holds references to a hash	[reply] [d/l] [select]
Re: Re: More with HTML:Template by wog (Curate) on Nov 23, 2001 at 21:10 UTC
`open(SEE, "< ../$value") or die "The File could not be opened."` [download] This is an improvement, but not really secure. There are probably some files the user should not acccess, and this allows (some of) them to be accessed with a bit of guessing on their path. To make this secure one should check to make sure `$value` only contains a certain set of characters, probably excluding `/`.	[reply] [d/l] [select]
Re: More with HTML:Template by Dogma (Pilgrim) on Nov 23, 2001 at 15:22 UTC
1) You should have started with both warnings and use strict. 2) If you choose to ignore this advice and then have some unisolated bug see step 1. 3) If at this point your about to say "But..." then please see step 1 and 2. 4) Now if your bug still can't be tracked down, you probably ignored steps 1 through 3. At this point you might as well and ask for help. While this may sound rude it's to point out that use strict and warnings will remove almost all common programming mistakes. Without them it's pretty much like trying to figure out whats wrong with the patient without evening looking at them. You'll hear this advice from almost all perl programmers... because we all learned it the hard way.	[reply]