Anonymous Monk has asked for the wisdom of the Perl Monks concerning the following question:

Hi monks, I am busying myself with cgi-fun and thought it sensible to add in a few safe-guards so that if nothing is entered into the form, the user gets a polite message, not an internal server error. Anyway, I thought this simple reg-exp would work (below). Can anyone suggest why is might be going wrong. Many thanks. 
# snippet from script 1
print qq(<FORM METHOD="post" ACTION="http://localhost/~sm125/cgi-bin/f
+rontpage.cgi"><h3>Enter: </h3><INPUT TYPE="TEXT" NAME="box" SIZE="10"
+><h3>Enter: </h3><INPUT TYPE="text" NAME="value" SIZE="10"><INPUT TYP
+E="SUBMIT" value="go"></FORM>);

[download]
second script 
# snippet from frontpage.cgi
#!/biol/programs/perl/bin/perl -w

use strict;

use CGI qw(:standard);

my $cgi;

$cgi = new CGI;
use CGI::Carp qw(fatalsToBrowser);

my $box = $cgi->param('box');
my $value = $cgi->param('value');


if (($box !~ /\w+/) && ($value !~ /\w+/))   {

 print "You haven't entered anything on the form";
 print STDOUT  $cgi->end_html;
 exit (0);
}

[download]

Replies are listed 'Best First'.
Re: CGI + safeguards
by valdez (Monsignor) on Feb 20, 2003 at 13:02 UTC

    You are testing values of both parameters, just change && with or.

    Ciao, Valerio

[reply]
[d/l]
[select]
Re: CGI + safeguards
by Tomte (Priest) on Feb 20, 2003 at 13:04 UTC

    Talking about safe-guards: you might want to check the -t and -T switches.

    To the regexp:

    • The check-logic is wrong, you want to bail out safely if either of the values is undefined, not both
    • One \w character in the input is enough ATM to match, so but you want to check that the whole value matches only \w-characters
    • that leads to something like 
      ($box !~ /^[my allowed characters in a handy class]+$/ ||
$value !~ /^[my allowed characters in a handy class]+$/

      [download]

    hth,
    regards,
    tomte

[reply]
[d/l]
Re: CGI + safeguards
by Joost (Canon) on Feb 20, 2003 at 13:13 UTC
    Can anyone suggest why is might be going wrong. 

    if (($box !~ /\w+/) && ($value !~ /\w+/))   {
 print "You haven't entered anything on the form";
 print STDOUT  $cgi->end_html;
 exit (0);
}

    [download]
    Some things are seem strange to me:
    • Your code will complain when someone doesn't enter a 'word' character (that is, [a-zA-Z0-9_] or something similar, depending on locale).

      For instance, when someone enters a "#" character, your code will complain.

      Probably you'll want to change either the message, or the regex, depending on what kind of values are allowed.

    • Your regex will give undefined values warnings when there is no data submitted to the form.

    • print STDOUT $something is equivalent to print $something here.

    • You do not print a HTTP-header, or start the HTML document in the error message: use print $cgi->header, $cgi->start_html("CGI Error"); or something similar.

    • I would put the use CGI::Carp line to the top of the script, so the error handler would be installed ASAP. 
    -- 
Joost       downtime n. The period during which a system
            is error-free and immune from user input.

    [download]
[reply]
[d/l]
[select]
Re: (nrd) CGI + safeguards
by newrisedesigns (Curate) on Feb 20, 2003 at 13:02 UTC

    It doesn't look like you are printing out headers. Are you?

    John J Reiser
    newrisedesigns.com

[reply]
Re: CGI + safeguards
by jacques (Priest) on Feb 20, 2003 at 13:59 UTC
[reply]

Back to Seekers of Perl Wisdom