ddrumguy has asked for the wisdom of the Perl Monks concerning the following question:

Can someone tell me how to run programs via a form using cgi?
I have a form built and i told the cgi code that if this item is selected to do a system command and it puts the number 65280 in the answer on the web form??

see below

#!/usr/bin/perl
print "Content-type:text/html\n\n";
$diskuse = (system `/usr/bin/df -k`);
read(STDIN, $buffer, $ENV{'CONTENT_LENGTH'});
@pairs = split(/&/, $buffer);
foreach $pair (@pairs) {
    ($name, $value) = split(/=/, $pair);
    $value =~ tr/+/ /;
    $value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C",hex($1))/eg;
    $FORM{$name} = $value;
}

# Since the "how you reached this site" list was saved as
# a number, we need a hash to translate it back to English:
%howreach = ( 0 => "",
                1 => "$diskuse",
                2 => "Site is bookmarked",
                3 => "A search engine",
                4 => "A link from another site",
                5 => "From a book",
                6 => "Other" );

print <<EndHTML;
<html><head><title>Results</title></head>
<body>
<h2>Results</h2>

Here's what you entered:<p>
Your name: $FORM{'name'}<p>
Email: $FORM{'email'}<p>
Which option you picked: $howreach{$FORM{'howreach'}}<p>
How you'd rate this site (1=poor,5=excellent):
$FORM{'rating'}<p>
EndHTML

%boxes = (  "des" => "Website Design",
        "svr" => "Web Server Administration",
        "com" => "Electronic Commerce",
        "mkt" => "Web Marketing/Advertising",
        "edu" => "Web-Related Education" );

print "You're also involved in the following:<br>\n";
foreach $key (keys %boxes) {
    if ($FORM{$key} == 1) {
        print "$boxes{$key}<br>\n";
    }
}

print <<EndFoot;
<p>
Your comments:<br>
$FORM{'comments'}<p>
</body></html>
EndFoot

[download]

Replies are listed 'Best First'.
Re: Running programs via cgi
by davis (Vicar) on May 10, 2002 at 16:49 UTC
    Hi,
    Please, Please use CGI in your cgi scripts. You're parsing the query string yourself, which is laying yourself open to all manner of security holes, plus maintainability nightmares.
    Also, you'd be well advised to use warnings and use strict, devices to save your sanity while coding
    In particular, please checkout Ovid's CGI course, -- lesson two looks useful for you.
    Update:Found the link I was looking for: use CGI or die;

    Here's an example form that might do something similar, without the df stuff: (forgive the dodgy formatting)
    #!/usr/bin/perl -w

use strict;
use CGI qw(:standard);

print header();
print start_html(-title=>"Results");
print start_form;
print popup_menu(-name=>"howreach",
                -values=>["0", "1", "2"],
                -labels=>{"0" => "Informed by prophet",
                          "1" => "Instructed by dog",
                          "2" => "Google, baby",}        );

print submit(-label=>"Go");

print end_form;
print end_html;

    [download]
    Cheers

    davis
    Is this going out live?
    No, Homer, very few cartoons are broadcast live - it's a terrible strain on the animator's wrist
[reply]
[d/l]
Re: Running programs via cgi
by Silicon Cactus (Scribe) on May 10, 2002 at 17:54 UTC
    From the looks of it you have a couple problems with your system call.

    1) Your web daemon is (Hopefully) running as the user nobody, check to make sure that the user nobody has access to run df. If nobody does not have permissions, you will need to build a setuid script in C (unless the setuid/apache/perl 'bug' has been fixed)

    2) As it is, you are storing what should be an array in a scaler. Run the command from the shell. I bet you get more than one line back.

    3) While in this particular example, you aren't passing anything to your system call, in the future you might consider it. Don't please, at least without all the things that davis meantions. Even then, seriously reconsider passing ANYTHING to the shell. It can be a MAJOR security threat.
[reply]

Back to Seekers of Perl Wisdom