Re: Lost Backs\ash

If you want to have a literal backslash in a string then you have to escape it. You wrote " C:\WINDOWS\Profiles\eoin\My Documents\images\border.jpg" but really you have to write that as " C:\\WINDOWS\\Profiles\\eoin\\My Documents\\images\\border.jpg".

Added: Oh I see. You're using the filename all wrong. You have to accept that the filename as given by the browser isn't going to be used locally since you can't really trust it to be sane. Consider this - depending on the browser the filename may contain backslashes, slashes or colons or perhaps other odd things. Those are all OS dependant characters and you can't really trust them all too much. Here's an alternate implementation.

A short list of changes:

Removed a security hole
Used taint mode (read perlsec if you haven't already)
Removed a bug - you didn't fetch the $pics{'pic'} entry before.
Switched to the standard File::Spec
Used CGI to generate the HTML since your HTML was invalid
Replaced './albums' with a configuration variable
Made an example of localizing a filehandle before using it which is always important in larger scripts
Made an example of not using the implict $_ stomping behaviour of while(<..>) - again something to think about in larger scripts
Added error detection on system calls (open,print,close)
Lastly, because I was doing the work for you I made the formatting look nice to me.

##!/usr/bin/perl -wT
use strict;
use warnings;
use diagnostics;
use File::Spec::Functions;
use CGI qw(:standard);

our $ALBUM_DIR = "albums";

my $user  = param("user"); 
my ($album) = param("T1") =~ /([\w ]+)/; # Untaint the album dir name
my $albumdir = catdir( $ALBUMDIR, $album );

unless ( -d $albumdir ) {
    mkdir $albumdir, 0775;
}

my @pics;
for ( '', 0 .. 13 ) {
    push @pics, {
        idx  => $_,
        name => (param("photo$_") =~ /.+([\w. ]+)/)[0],
        fh   => upload("photo$_")
    };
}

foreach my $pic (@pics) {
    my $name = $pic->{'name'};
    my $fh   = $pic->{'fh'};
    my $filenm = catfile( $albumdir, "pic$idx" );

    local *IMAGE;
    open IMAGE, ">", $filenm
        or die "Couldn't open $filenm for writing: $!";
    binmode IMAGE;
    while (my $line = <$fh>) {
        print IMAGE $line
            or die "Couldn't write to $filenm: $!";
    }
    close IMAGE
        or die "Couldn't close $filename while writing: $!";
}

print
    header,
    start_html(
        -title => 'Please Wait',
        -meta  =>
            { "HTTP-EQUIV" => "refresh",
              CONTENT => "05;URL=http://eoinmurphy00.netfirms.com/cgi-
+bin/main.cgi?status=home&user=$user" },
    ),
    p('Please Wait'),
    p('You will be redirected to the main page in two seconds.'),
    p("Thank you $user"),
    end_html;
[download]

Comment on Re: Lost Backs\ash Download Code

Replies are listed 'Best First'.
Re: Re: Lost Backs\ash by eoin (Monk) on Aug 14, 2003 at 12:35 UTC
I understand that, but this is for input form a file upload web form so the user will be using a browse button to choose a file and then that filename and path will appear in the textbox and then you click submit. So I have no control over what is sent by the form but only what the script revcieves and uses. Its a real head tangler. All the Best, Eoin... _{If everything seems to be going well, you obviously don't know what the hell is going on.}	[reply]

Replies are listed 'Best First'.

Re: Re: Lost Backs\ash
by eoin (Monk) on Aug 14, 2003 at 12:35 UTC

All the Best, Eoin...

_{If everything seems to be going well, you obviously don't know what the hell is going on.}

[reply]