Pulling out the value of a cookie: Revisited

WarrenBullockIII has asked for the wisdom of the Perl Monks concerning the following question:

The other day I posted a message asking for assitance on cookies the message was this: The following script is just a rough test script I am trying to use to experiment with cookies. The script checks for the existance of a cookie first. If it finds an existing cookie it prints out the a welcome message. If it doesn't find a cookie it prints the form to allow the person to send themselves a cookie. When they visit the page again it will automatically display the welcome message. The problem I am having with this script is that I would like the welcome message to say something like: Welcome back: John instead I get somthing like: Welcome back: user=John I am not sure how to display the cookie value without the name... Any help would be appreciated.


#!/usr/bin/perl

use CGI;
$query = new CGI;

if($ENV{'HTTP_COOKIE'}){
    print $query->header;
    print"<PRE>\n";

$cook = $ENV{'HTTP_COOKIE'};
@cookies = split /;/, $cook;
foreach $new (@cookies){

    print "Welcome back:" . $new;
    }
    print "</PRE>\n";
}
else{
if($query->param('name')){
$cookie = $query->cookie(-name=>'user',
-value=>$query->param('name'), 
-expires=>'+30d', 
-path=>'/');

print $query->header(-cookie=>$cookie);
print "Thank you for registering!\n";
print "When you view this page again you will se a welcoming message i
+nstead of the form<BR>";
}
   else{
print $query->header;
print "<CENTER><H3>Testing a page with cookies</H3></CENTER>\n\n";
print "<P></P>\n\n";

#construct the form that asks for the username...
print "<FORM METHOD=\"post\"\n>";
print "Please type your name: ";
print "<INPUT TYPE=\"text\" NAME=\"name\" SIZE=20>\n";
print "<INPUT TYPE=\"submit\" VALUE=\"register\">\n";
print "</FORM>\n\n";
&end_page;
}
}

sub start_page{
     print "<HTML><HEAD><TITLE>Testing a script with cookies</TITLE></
+HEAD>\n\n";
     print "<BODY>\n";
}

sub end_page{
     print "</BODY>\n\n";
     print "</HTML>\n";
}
[download]

However, I had many people tell me that using Environment variables was quite dangerous and I still was stuck because I couldn't get the value alone from the cookie to display... I kept getting somthing like user=Warren instead of Warren. I modified my code a little and came up with this... Any comments are welcome :-)

#!/usr/bin/perl 

use CGI;

$query = new CGI;

if($query->cookie('user')){
    print $query->header;
    $content = $query->cookie('user');
    @new = split ("=", $content);
    foreach $user (@new){
    
    if($user !~ /^user$/){
         print "Welcome back $user\n";
}
    }}
else{

if($query->param('name')){
     $cookie = $query->cookie(-name=>'user',
     -value=>$query->param('name'),
     -expires=>'+30d',
     -path=>'/');
     print $query->header(-cookie=>$cookie);
     print "Thank you for registering!\n";
}

else{
     print $query->header;
     print "<CENTER><H3>Testing a page with cookies</H3>  </CENTER> \n
+ \n";
     print "<P></P>\n\n";

     #construct the form that asks for the username...
     print "<FORM METHOD=\"post\"\n>";
     print "Please type your name: ";
     print "<INPUT TYPE=\"text\" NAME=\"name\" SIZE=20>\n";
     print "<INPUT TYPE=\"submit\" VALUE=\"register\">\n";
     print "</FORM>\n\n";
     &end_page;
}
}

sub start_page{
     print "<HTML><HEAD><TITLE>Testing a script with cookies</TITLE></
+HEAD>\n\n";
     print "<BODY>\n";
}

sub end_page{
     print "</BODY>\n\n";
     print "</HTML>\n";
}
[download]

Comment on Pulling out the value of a cookie: Revisited Select or Download Code

Replies are listed 'Best First'.
Re: Pulling out the value of a cookie: Revisited by dws (Chancellor) on Jul 25, 2002 at 17:35 UTC
Any comments are welcome :-) Three comments: 1. Taint check. If someone sneaks Javascript into a cookie, they've set you up for a "cross-site scripting attack" (i.e., you'll end up emitted their javascript in your page). 2. The fragment `$content = $query->cookie('user'); @new = split ("=", $content);` [download] should set you up for a one-trip loop, since the value you get back shouldn't have "=" signs embedded unless they're a legal character in the cookie value. You should be able to get by with `$user = $query->cookie('user');` 3. Mixing hand-coded HTML with HTML generated by CGI is confusing, and could complicate maintenance. Either use templates, or go all the way with CGI methods.	[reply] [d/l] [select]
Re: Pulling out the value of a cookie: Revisited by BrowserUk (Patriarch) on Jul 25, 2002 at 17:57 UTC
UpdateWarrenBullockIII, I apologise. I (eventually) saw your comment in the CB and revisited your question and your right, I hadn't read all of your post. I would have apologised in the CB, but my link is subject to a extreme lag at the moment. End update The rest of this post is wrong/redundant. Don't bother... Read more... (1010 Bytes)	[reply] [d/l] [select]