in reply to file uploads

You really need to clean up how you output your HTML. The simplest method -- and the one that most Perl programmers start with -- is to use a here document.

print <<END_HTML;
<HTML>
  <HEAD></HEAD>
  <BODY BACKGROUND="/Assets/Backdrop.gif">
    <FORM NAME="Recieve" ENCTYPE="multipart/form-data" ACTION="_main.p
+l" METHOD="POST" TARGET="MAIN">
      <INPUT TYPE="hidden" NAME="Function" VALUE="Recieve">
      <INPUT TYPE="hidden" NAME="UserID" VALUE="$gBuffer[1]">
      <INPUT TYPE="hidden" NAME="Signature" VALUE="gBuffer[2]">
      <INPUT TYPE="hidden" NAME="Password" VALUE="$gBuffer[3]">
      <INPUT TYPE="hidden" NAME="Message" VALUE="$gBuffer[4]">
      <TABLE BORDER="0" CELLSPACING="0" CELLPADDING="0" WIDTH="345">
        <TR VALIGN="TOP" ALIGN="LEFT">
          <TD WIDTH="345">
            <P ALIGN="CENTER"><IMG SRC="/Assets/clearpixel.gif" BORDER
+="0">
          </TD>
        </TR>
        <TR VALIGN="TOP" ALIGN="LEFT">
          <TD WIDTH="345">
            <P ALIGN="CENTER">
              <FONT COLOR="#FFFF99">The Full Sized (640x480) Picture:<
+/FONT>
            </p>
          </TD>
        </TR>
        <TR VALIGN="TOP" ALIGN="LEFT">
          <TD WIDTH="345">
            <P ALIGN="CENTER">
              <INPUT TYPE="FILE" NAME="AUT_File" SIZE="25" MAXLENGTH="
+25">
            </p>
          </TD>
        </TR>
        <TR VALIGN="TOP" ALIGN="LEFT">
          <TD WIDTH="345">
            <P ALIGN="CENTER">
              <FONT COLOR="#FFFF99">The Small Sized (80x60) Thumbnail:
+</FONT>
            </p>
          </TD>
        </TR>
        <TR VALIGN="TOP" ALIGN="LEFT">
          <TD WIDTH="345">
            <P ALIGN="CENTER">
              <INPUT TYPE="FILE" NAME="THM_File" SIZE="25" MAXLENGTH="
+25">
            </p>
          </TD>
        </TR>
        <TR VALIGN="TOP" ALIGN="LEFT">
          <TD WIDTH="345">
            <P ALIGN="CENTER">
              <IMG SRC="/Assets/clearpixel.gif" BORDER="0">
            </p>
          </TD>
        </TR>
        <TR VALIGN="TOP" ALIGN="LEFT">
          <TD WIDTH="345">
            <P ALIGN="CENTER">
              <INPUT TYPE="submit" VALUE="Upload">
            </p>
          </TD>
        </TR>
      </TABLE>
    </FORM>
  </BODY>
</HTML>
END_HTML

[download]

This is much easier to read and only took me a couple of minutes to reformat with a proper editor.

prinet wrote:

when i return to my program with the data from the form i can't seem to find the info (even the hidden stuff for direction).

I'm not sure I understand the question. To get the form data, use the CGI.pm param() method:

use CGI qw/:standard/;

my $function  = param( 'Function' );
my $userID    = param( 'UserID' );
my $signature = param( 'Signature' );
my $password  = die "Don't pass passwords to HTML";

[download]

Why are you storing the password in a hidden field in the HTML? It's impossible to stop someone from reading it. Please read this basic overview of Web security for more information. Plus, if you read the rest of the course, it should answer many of the questions that you have. For info on uploading files, read the CGI.pm documentation for creating a file upload field. It also describes to to process the file upload.

Cheers,
Ovid

Join the Perlmonks Setiathome Group or just click on the the link and check out our stats.

Replies are listed 'Best First'.
Re: (Ovid - big security hole) Re: file uploads
by PriNet (Monk) on Feb 27, 2002 at 22:23 UTC
    if it isn't obvious? i am new to perl... thanx for the format scheme...MUCH easier to read...(lol)... i'll attack the cgi.pm issue when i get home tonight and see how that works. will it create a conflict if i read the posted form data prior to using the cgi.pm? my script returns to itself numerous time with different "functions". (oh...btw? i dont "GET" passwords...(*heh*) only POST them...i'm aware of the ?data=test carries the data in the url...not too secure...lol...it gets blanked then reread from the members file by userid....) thanx again...lemmie try to crash my server tonight with the new info.....
[reply]
      addendum:: i read your security info... POST can be extracted as well when it's read from a userfile for comparison when posted into the script? hmmm... be aware gary...be VERY aware...thanx again ovid....
[reply]

In Section Seekers of Perl Wisdom